I keep hearing about many engineers out there with issues related to the UCCX certificates and the ECDSA certificate used by few services on UCCX. I wanted to create this quick post to help others and Document the procedure.
The certificates Overview
I will go back a bit to give you a quick overview on the UCCX certificates, but not too far back. UCCX uses Self-Signed certificates out of the box for Secure connectivity using your browser (Nothing new here) – However, since UCCX 11.5 there is a new Tomcat Certificate called Elliptic Curve Digital Signature Algorithm, ECDSA for short. If you want to find out more about these type of certificates feel free to visit this webpage
Here is an Image with the Certificate store
In other words these type of certificates, the ECDSA were not present before, and now they are (UCCX team thought was cool to add them some how).
The alternative if you don’t want to keep going down the road
So in case you either don’t want to keep reading, or just too cool for Signed Certificates, use the COP file for the ECDSA
The Defect is well documented under the BugID: CSCvb46250
Also go to this page to get a full explanation on the ECDSA – Check this Article
The Scenario or the Issue (Challenge… my own words)
You are a happy engineer, and you are planning a UCCX upgrade to 11.5, that is all cool and nice but you discover about these certificates. At this point you know how the story goes:
Find the closest CA available in your Environment
Go to Certificate Authority under Administrative Tools – Go under the Templates and Select it, Right click and Go to Manage
At this point the Certificate Templates will show up
Right click the Web Server Template and select Duplicate
*** Note that once you select this option, Windows will ask you if you want the Windows Server 2003 or the Windows Server 2008 versions… To save you some time, here is a little hint.
2003 version is what you use to publish the template under http://CA-SERVER/certsrv (Web Enrollment) when requesting an Advanced Certificate **This is the one you use to sign the certificate for your regular Tomcat Certificate
2008 version does not let you publish the certificate template over Web Enrollment **This is what you use to sign your Tomcat-ECDSA certificate
Select 2008, name your Template and go to the Cryptography TAB
At this point and before you move forward go to UCCX Os Administration and record all the requirements needed for the Tomcat-ECDSA certificate… in other words, this is what you will use to generate the certificate request. UCCX OS Administration –> Security –> Certificate Management
Click on the Generate CSR –> Select Tomcat-ECDSA and record the following:
***Make sure you Generate and Download the CSR, we will use it soon…
We will use this information to create our template, so go back to your Windows server and under the Cryptography TAB select the following:
Now under the Extensions TAB, select Make sure that under the Application Policies you have the following:
Click apply and go back to the Certification Authority window –> Right click the Certificate Templates and New –> Certificate Template to Issue
This operation does not add the certificate template to the Web enrollment page, but that is fine, because we are going to use the following method
Open Powershell with Admin rights (Right Click “Run as Administrator”) and enter the following:
C:\Users\admin\Desktop>certreq.exe –submit –attrib “certificateTemplate:ECDSACiscoServers” ecdsa.csr signed-ecdsa.cer
That line assumes that you saved the CSR with the .csr extension (if not do it) – It also assumes that you saved the .csr file to your Desktop and you are loged in with the adminitrator (If not, make sure you change the PATH) – Also assumes that the Certificate will also be saved to the Desktop (if not do it, just to make your life easier)
Go to UCCX and upload the ROOT certificate, not sure where to find it? Go to http://CA-SERVER/Certsrv
Make sure this one gets Uploaded to the Tomcats-Trust option
The certificate is now ready to be uploaded to the Certificate Store into UCCX ** Make sure you select Tomcat-ECDSA
If you already did the Tomcat certificate you are good to go, (if not, watch this Post/Video)but keep reading because if you only restart the Tomcat and the Finesse Tomcat service, the CUIC and other services will not work properly.
Restart the UCCX server or Servers for the changes to work properly
Now you are ready to enjoy a Secure session with no browsers giving you issues
What to look forward to?
I hope you have enjoyed the post and that it was helpful, if you have issues with this, please feel free to send me a quick message and I will do my best to get back with an answer
About the Author:
Andres Sarmiento, CCIE # 53520 (Collaboration)
With more than 13 years of experience, Andres is specialized in the Unified Communications and Collaboration technologies. Consulted for several companies in South Florida, also Financial Institutions on behalf of Cisco Systems. Andres has been involved in high-profile implementations including Cisco technologies; such as Data Center, UC & Collaboration, Contact Center Express, Routing & Switching, Security and Hosted IPT Service provider infrastructures.
2 thoughts on “UCCX 11.5 Tomcat and Tomcat-ECDSA certificates for Cisco Finesse CUIC and the Admin Pages”
Great article ! Without your guide I would not have been able to issue this certificate
Many thanks !
This is excellent! Thank you. If both tomcat and tomcat-ECDSA Signed certificates need to get uploaded at the same time, does order matter? Which to upload first, tomcat or tomcat-ECDSA, given the Root is added first to -trust.