Guest

Preview Tool

Cisco Bug: CSCun31191 - Unused signing certificate is not removed from trust store

Last Modified

Jul 24, 2017

Products (1)

  • Cisco Unified Communications Manager IM & Presence Service

Known Affected Releases

9.1(2)

Description (partial)

Symptom:
The Inter-cluster peer troubleshooting section displays a signing certificate (either root or intermediate) in the Certificate Status section, that is no longer in use by that Inter-cluster peer. No longer is use means that the peer node no longer has a certificate signed by that signing certificate for the indicated service (i.e. Cisco XMPP Service etc)

The Inter-cluster peer troubleshooting section can be found by navigating to Cisco Unifed Communications Manager Instance Messaging & Presence Admin UI > Presence > Inter-Cluster > [Select a peer] > Observe the Inter-cluster Peer Status, Certificate Status section.

Conditions:
The issue can occur when the following conditions occur together:
 1. More than one service is using certificates (i.e. tomcat, cup-xmpp, cup-xmpps-2s) that have been signed by a Certificate Authority (CA).
 2. One of the services reverts to using a self-signed certificate while another service continues to use the CA signed certificate.

These conditions can result in the signing certificate (for the service which reverted to using a self-signed certificate) not being removed from the system by the Cisco Intercluster Sync Agent during its automatically scheduled audit job.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.