Installing 3rd Party Certificate on Cisco Prime License Manager

As part of the 10.X Cisco Collaboration Systems Release, Enterprise License Manager (ELM) has been changed to Prime License Manager (PLM) and the system operates a little bit differently than ELM did. There are a few differences including how you install 3rd party signed certificates on the box. I will discuss some operating differences and how to handle getting 3rd party certificates on the PLM.

ELM/PLM is the licensing component included with several of the Cisco collaboration products. I prefer to have my ELM/PLM server be a standalone virtual machine (VM) vs. using a co-resident one with another collaboration application (both are supported by Cisco TAC). The system requirements for a standalone system are small and by having a stand alone VM, you can deal with ELM/PLM issues without impacting other application functions like CUCM or CUC.

In 9.X, ELM used to be in the CUCM/CUC install ISO which is now approaching 5 GB in size as of the latest 10.5(2) release. PLM operates similarly to ELM but it is now a standalone ISO and is less than a 1 GB in size. Since much of the CUCM/CUC stuff is stripped out, you don’t have GUI methods to deal with certificates.

Installing 3rd party certificates is not specifically documented for PLM currently (at least I couldn’t find it on CCO or Google). There is a CLI command reference guide and that was what I needed along with some assistance from TAC to piece together the procedure. Even TAC was initially unclear how to do this. I figured I would save you some time and outline the procedure here. You will need SSH access to the PLM CLI. Also, make sure you certificates are in Base64 format:

# Generate the CSR
set csr gen tomcat
# Retrieve the CSR & provide to your CA administrator
show csr own tomcat/tomcat.csr
# Upload root & any intermediate certs for the CA to PLM
set cert import trust tomcat
# View trust certs
show cert list trust
# Upload the signed tomcat cert to PLM
set cert import own tomcat tomcat-trust/<CAName from show>

After all of this you will need to cycle the Cisco Tomcat service, however, in version 10.5(2) there is no way to restart just the Cisco Tomcat service from the CLI, so you will need to restart your PLM VM:

utils system restart

Hopefully after all of this, you can have a 3rd party signed certificate on your PLM so you do not get the annoying certificate warnings when you connect to the administration GUI.

Disclosure: I am a member of the Cisco Champions Program. Cisco Champions are passionate about Cisco and enjoy sharing our knowledge, expertise, and thoughts across the social web and with Cisco. I am not a representative of Cisco. My views as a Cisco Champion are my own.

Author: Michael Whaley

I am a Private, Instrument Rated, pilot living in the Kansas City Metro area with my family and Siberian Husky. I work as a Network Engineer supporting data and voice infrastructure components here in Kansas City. In my spare time I fly.

7 thoughts on “Installing 3rd Party Certificate on Cisco Prime License Manager”

  1. I found mixed messages in the documentation about wildcard certificate support in 10.5, have you tried this?

  2. I was really disappointed at the lack of documentation on the certificate process. I have not specifically messed with wildcard certs with PLM, but I don’t see why it wouldn’t work. I know a lot of organizations use wildcard certs so that would be helpful if it was supported.

  3. Apparently this no longer works with 11.5
    I opened a TAC case and these 2 bugs were opened to track it.
    CSCvb44508
    CSCvb44518

  4. Wanted to say that I also opened a 3rd bug CSCvb73503 after contacting TAC and determining that the two bugs from ‘anonymous’ above were not sufficient to resolve the issues for our environment. TAC now has a workaround process to connect into the server via root access and remove the EC support from PLM-standalone.

Leave a Reply