Guest

Preview Tool

Cisco Bug: CSCvu78005 - Tomcat RSA/ECDSA Keystore's doesn't update in all nodes when we replace existing CA cert in chain.

Last Modified

Oct 23, 2020

Products (1)

  • Cisco Unified Communications Manager (CallManager)

Known Affected Releases

10.5(2.13900.12) 11.5(1.18000.148) 12.5(0.98333.315)

Description (partial)

Symptom:
After replacing CA root certificate, customer tried openssl command to check if certificate chain is updated or not.
CUCM Pub returned new CA root certificate, but subscribers still returned old certificate chain.
Issue is seen with CUC and IMP as well.

OK:
$ openssl s_client -connect X.X.X.X:8443 -quiet
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA verify return:1
depth=0 CN = xxx.yyy.zzz.com
verify return:1

NG:
$ openssl s_client -connect X.X.X.X:8443 -quiet
depth=1 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root verify error:num=10:certificate has expired notAfter=May 30 10:48:38 2020 GMT verify return:0
depth=1 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root verify error:num=10:certificate has expired notAfter=May 30 10:48:38 2020 GMT verify return:0
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root verify error:num=10:certificate has expired notAfter=May 30 10:48:38 2020 GMT verify return:0

Conditions:
*As AddTrust External CA Root is expired in 5/30/2020, customer uploaded new CA root 'USERTrust RSA Certification Authority'.
*They just uploaded the new one, they didn't regenerate CSR.

Old certificate chain:
Root: CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE
Intermidiate 1: CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
Intermidiate 2: CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB
Server: CN = xxx.yyy.zzz.com(Multi-server)

New certificate chain:
Root: CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
Intermidiate 1: CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB
Server: CN = xxx.yyy.zzz.com(Multi-server)


This defect is applicable to below use cases :- 

1. Multi-SAN environment since chain will be common across all the nodes in the cluster.
2. when the nodes in the cluster has their tomcat  certificate signed by same CA server and also has the same chain.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.