As part of the 10.X Cisco Collaboration Systems Release, Enterprise License Manager (ELM) has been changed to Prime License Manager (PLM) and the system operates a little bit differently than ELM did. There are a few differences including how you install 3rd party signed certificates on the box. I will discuss some operating differences and how to handle getting 3rd party certificates on the PLM.
ELM/PLM is the licensing component included with several of the Cisco collaboration products. I prefer to have my ELM/PLM server be a standalone virtual machine (VM) vs. using a co-resident one with another collaboration application (both are supported by Cisco TAC). The system requirements for a standalone system are small and by having a stand alone VM, you can deal with ELM/PLM issues without impacting other application functions like CUCM or CUC.
In 9.X, ELM used to be in the CUCM/CUC install ISO which is now approaching 5 GB in size as of the latest 10.5(2) release. PLM operates similarly to ELM but it is now a standalone ISO and is less than a 1 GB in size. Since much of the CUCM/CUC stuff is stripped out, you don’t have GUI methods to deal with certificates.
Installing 3rd party certificates is not specifically documented for PLM currently (at least I couldn’t find it on CCO or Google). There is a CLI command reference guide and that was what I needed along with some assistance from TAC to piece together the procedure. Even TAC was initially unclear how to do this. I figured I would save you some time and outline the procedure here. You will need SSH access to the PLM CLI. Also, make sure you certificates are in Base64 format:
# Generate the CSR set csr gen tomcat # Retrieve the CSR & provide to your CA administrator show csr own tomcat/tomcat.csr # Upload root & any intermediate certs for the CA to PLM set cert import trust tomcat # View trust certs show cert list trust # Upload the signed tomcat cert to PLM set cert import own tomcat tomcat-trust/<CAName from show>
After all of this you will need to cycle the Cisco Tomcat service, however, in version 10.5(2) there is no way to restart just the Cisco Tomcat service from the CLI, so you will need to restart your PLM VM:
utils system restart
Hopefully after all of this, you can have a 3rd party signed certificate on your PLM so you do not get the annoying certificate warnings when you connect to the administration GUI.
Disclosure: I am a member of the Cisco Champions Program. Cisco Champions are passionate about Cisco and enjoy sharing our knowledge, expertise, and thoughts across the social web and with Cisco. I am not a representative of Cisco. My views as a Cisco Champion are my own.
I found mixed messages in the documentation about wildcard certificate support in 10.5, have you tried this?
I was really disappointed at the lack of documentation on the certificate process. I have not specifically messed with wildcard certs with PLM, but I don’t see why it wouldn’t work. I know a lot of organizations use wildcard certs so that would be helpful if it was supported.
Great article. Worked Great! Also used it for Prime Collaboration Deployment. Thank you!
Apparently this no longer works with 11.5
I opened a TAC case and these 2 bugs were opened to track it.
Wanted to say that I also opened a 3rd bug CSCvb73503 after contacting TAC and determining that the two bugs from ‘anonymous’ above were not sufficient to resolve the issues for our environment. TAC now has a workaround process to connect into the server via root access and remove the EC support from PLM-standalone.
One more bug filed for Enhancement request (add Cert-mgr GUI similar to CUCM) as well.
Sorry forgot the bug ID: CSCvb80941
This process confirmed works with PLM 11.5.1 SU1 (must be SU1)
Can also confirm works with PCD 11.5.3
Thanks for sharing this Michael. Following your guide I have managed to upload our internal Root CA and Intermediate certs on version 11.5.1 (Su6). From a complete newbies perspective, the only thing I would add is that the certificate has to be imported in the PEM format. The only method available to me to obtain internally signed certificates is to download them with from our internal CA with the CER extension. The work around which seems to have worked quite nicely is to go to my CUCM publisher (where the same certificates had alreday been installed) and download the Root CA and Intermediaries in a PEM format, open in notepad ++ and copy and paste to PLM CLI. If I run show cert list trust – the two internal certs are shown.
One last thing, I also ran a “show cert own tomcat” to check certificate attributes and noticed that PLM is different in that along with digitalsignature, keyEncipherment, dataEncipherement, it also has keyCertSign which CUCM Pub and Subs don’t have. So I need to certificate server admins to add keyCertSign to the template?