I’ve always struggled understanding certs – what each one does, what impact installing them will have on a production server, and when will users see error messages in their browser. So, when my CUPS server needed new certificates, I decided to document the process.
First, the certificates installed on my CUPS server:
tomcat: webpage access as well as some communication between CUCM and CUPS nodes.
ipsec: DRS backup/restore connection as well as some communication between CUCM and CUPS nodes.
cup: presence engine and SIP proxy connections; this is mainly messed with when SIP federation is being used.
cup-xmpp: XMPP connection between XMPP clients and CUPS.
cup-xmpp-s2s: XMPP connection between other XMPP servers and CUPS; this is only used with XMPP federation.
In general, certificates are a way to prove a website is who it really says it is. In the default configuration, CUPS generates “self signed certificates” – these are certs created by the server itself. If you are using self signed certs then users will receive the “this site’s certificate is untrusted” error message. To prevent this, you can install certificates that are signed by a trusted authority, either an external certificate authority (i.e. Verisign), or a certificate authority inside your organization.
The general process to sign these certs is as follows:
- Generate CSRs for relevant certificates.
- Submit CSRs to CA for signing.
- Upload root CA and any intermediary CA certs as -trust.
- Upload signed cert.
The CSR generation process is as follows:
- Go to CUPS OS Admin page.
- Go to Security > Certificate Management.
- Click Generate CSR.
- Select the cert you’d like to generate from the Certificate Name drop down menu, and click Generate CSR.
- Repeat step 4 with the remaining CSRs.
- Close this window.
- Back on the certificate management page, click Download CSR.
- Download the CSRs.
Submitting the CSR will vary depending on your signing CA, so it will be best to work with your signing CA for assistance with this.
Once the CA sends back the signed certs, you can then upload them to CUPS. Before you do so, however, you will need to upload the signing CAs root and intermediary certs first. You will need to get these certs from the signing CA. Once again, the process will vary depending on the CA so it will be best to work with them for help with this. Once you have all the required certs (signed CUPS cert as well as all root and intermediaries) the process is as follows:
- Go to CUPS OS Admin > Security > Certificate Management.
- Click Upload Certificate/Certificate chain.
- Select tomcat-trust from Certificate Name drop down, and then upload the root CA, then the intermediary CA certs.
- Select tomcat from the Certificate Name drop down, and then upload the signed tomcat cert.
- Repeat steps 3 and 4 for the rest of your certs, replacing tomcat-trust with new-cert-trust and tomcat with new-cert.
- Restart Tomcat and XCP Router services
utils service restart Cisco Tomcat
utils service restart Cisco XCP Router
Replacing certs on a secondary / subscriber CUPS server
Follow the same process above, except for step 6. Instead of doing step 6, first restart the XCP Router service and then restart the whole box.
The reason for the box restart is that it is possible for restarting the server after uploading the cup-xmpp cert to not properly refresh the XCP Router service, causing it still offer the old cert.
For more information on this process, please refer to the documentation:
Security certificate management