Cisco Bug: CSCun31191 - Unused signing certificate is not removed from trust store
Jul 24, 2017
- Cisco Unified Communications Manager IM & Presence Service
Known Affected Releases
Symptom: The Inter-cluster peer troubleshooting section displays a signing certificate (either root or intermediate) in the Certificate Status section, that is no longer in use by that Inter-cluster peer. No longer is use means that the peer node no longer has a certificate signed by that signing certificate for the indicated service (i.e. Cisco XMPP Service etc) The Inter-cluster peer troubleshooting section can be found by navigating to Cisco Unifed Communications Manager Instance Messaging & Presence Admin UI > Presence > Inter-Cluster > [Select a peer] > Observe the Inter-cluster Peer Status, Certificate Status section. Conditions: The issue can occur when the following conditions occur together: 1. More than one service is using certificates (i.e. tomcat, cup-xmpp, cup-xmpps-2s) that have been signed by a Certificate Authority (CA). 2. One of the services reverts to using a self-signed certificate while another service continues to use the CA signed certificate. These conditions can result in the signing certificate (for the service which reverted to using a self-signed certificate) not being removed from the system by the Cisco Intercluster Sync Agent during its automatically scheduled audit job.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases