https://community.cisco.com/t5/ip-telephony-and-phones/is-regeneration-of-capf-after-mixed-mode-needed/m-p/3932235#M382760 <P>Is regeneration of CAPF and re-sign by CA needed after changing CUCM to mixed mode, if previously LSC is installed during non-secure mode?</P><P>&nbsp;</P><P>1. Phones were previously signed with CA signed LSC and had 802.1x enabled for NAC. CUCM v12.5 was in non secured mode.</P><P>2. Customer requires encryption on the phones thus we have converted the CUCM v12.5 to mixed mode</P><P>3. Phones are not able to register after we applied the secure sip profile. NAC is working as phone is still getting IP but just cannot register to CUCM.&nbsp; If we delete the LSC from the phone, the phone can register using secure profile.</P><P>&nbsp;</P><P>Phone (with LSC) getting the below error.</P><P>&nbsp;</P><P>7851 ERR Sep 23 15:01:20.320158 (348:2292) SECUREAPP-Secure Connection Handshake failed.<BR />7852 NOT Sep 23 15:01:20.322478 (348:2292) SECUREAPP-Close and free connection handler at 0x2a1c63b0<BR />7853 NOT Sep 23 15:01:20.323210 (348:2292) SECUREAPP-Sec SSL Close Connection successful.<BR />7854 ERR Sep 23 15:01:20.323699 (348:2292) SECUREAPP-PXY_SSL_CLNT: SSL CLNT ERR, srvr[10.178.23.16]<BR />7855 ERR Sep 23 15:01:20.324523 (348:2292) SECUREAPP-SECERR_DETAIL: ** SEC-ERR: code:[11]([UNKNOWN_ERR]) subcode:[0]([N/A])<BR />7856 ERR Sep 23 15:01:20.325041 (348:2292) SECUREAPP-SECERR_DESC: ** SEC-ERR: desc [ssl setup failed]</P><P>&nbsp;</P><P>From CUCM, we are getting this:</P><P>07275357.000 |14:58:46.457 |AppInfo&nbsp; |[3, 100, 247, 138]: HandleSSLError - Certificate verification failed:(Verification error:2)- unable to get issuer certificate for 10.178.99.71:51537</P><P>&nbsp;</P><P>ITL and CTL checksum on the phone are the same as the publisher, so no error on that.&nbsp; This is confirmed by the below phone logs</P><P>&nbsp;</P><P>UREAPP-validateSignedCTL: new TL matches old, not updating</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 02 Oct 2019 03:01:04 GMT esther.tan 2019-10-02T03:01:04Z https://community.cisco.com/t5/ip-telephony-and-phones/is-regeneration-of-capf-after-mixed-mode-needed/m-p/3932235#M382760 <P>Is regeneration of CAPF and re-sign by CA needed after changing CUCM to mixed mode, if previously LSC is installed during non-secure mode?</P><P>&nbsp;</P><P>1. Phones were previously signed with CA signed LSC and had 802.1x enabled for NAC. CUCM v12.5 was in non secured mode.</P><P>2. Customer requires encryption on the phones thus we have converted the CUCM v12.5 to mixed mode</P><P>3. Phones are not able to register after we applied the secure sip profile. NAC is working as phone is still getting IP but just cannot register to CUCM.&nbsp; If we delete the LSC from the phone, the phone can register using secure profile.</P><P>&nbsp;</P><P>Phone (with LSC) getting the below error.</P><P>&nbsp;</P><P>7851 ERR Sep 23 15:01:20.320158 (348:2292) SECUREAPP-Secure Connection Handshake failed.<BR />7852 NOT Sep 23 15:01:20.322478 (348:2292) SECUREAPP-Close and free connection handler at 0x2a1c63b0<BR />7853 NOT Sep 23 15:01:20.323210 (348:2292) SECUREAPP-Sec SSL Close Connection successful.<BR />7854 ERR Sep 23 15:01:20.323699 (348:2292) SECUREAPP-PXY_SSL_CLNT: SSL CLNT ERR, srvr[10.178.23.16]<BR />7855 ERR Sep 23 15:01:20.324523 (348:2292) SECUREAPP-SECERR_DETAIL: ** SEC-ERR: code:[11]([UNKNOWN_ERR]) subcode:[0]([N/A])<BR />7856 ERR Sep 23 15:01:20.325041 (348:2292) SECUREAPP-SECERR_DESC: ** SEC-ERR: desc [ssl setup failed]</P><P>&nbsp;</P><P>From CUCM, we are getting this:</P><P>07275357.000 |14:58:46.457 |AppInfo&nbsp; |[3, 100, 247, 138]: HandleSSLError - Certificate verification failed:(Verification error:2)- unable to get issuer certificate for 10.178.99.71:51537</P><P>&nbsp;</P><P>ITL and CTL checksum on the phone are the same as the publisher, so no error on that.&nbsp; This is confirmed by the below phone logs</P><P>&nbsp;</P><P>UREAPP-validateSignedCTL: new TL matches old, not updating</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 02 Oct 2019 03:01:04 GMT https://community.cisco.com/t5/ip-telephony-and-phones/is-regeneration-of-capf-after-mixed-mode-needed/m-p/3932235#M382760 esther.tan 2019-10-02T03:01:04Z https://community.cisco.com/t5/ip-telephony-and-phones/is-regeneration-of-capf-after-mixed-mode-needed/m-p/3932323#M382763 Hi Esther,<BR /><BR />Was this cluster in mixed mode ever before and had CTL file ? If so, then you need to delete the CTL file before moving to mixed mode again. Please refer the below link for more detailed procedure:<BR /><BR /><A href="https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/118893-technote-cucm-00.html#anc5" target="_blank">https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/118893-technote-cucm-00.html#anc5</A><BR /><BR />HTH<BR />Rajan<BR />Please rate all useful posts by clicking the star below and mark solutions as accepted wherever applicable<BR /> Mon, 30 Sep 2019 08:50:59 GMT https://community.cisco.com/t5/ip-telephony-and-phones/is-regeneration-of-capf-after-mixed-mode-needed/m-p/3932323#M382763 Rajan 2019-09-30T08:50:59Z https://community.cisco.com/t5/ip-telephony-and-phones/is-regeneration-of-capf-after-mixed-mode-needed/m-p/3933459#M382829 <P>Hi Rajan</P><P>&nbsp;</P><P>No. There was no CTL file before we switched to mixed mode.</P><P>&nbsp;</P><P>&nbsp;</P><P>Regards</P><P>Esther</P> Wed, 02 Oct 2019 03:01:51 GMT https://community.cisco.com/t5/ip-telephony-and-phones/is-regeneration-of-capf-after-mixed-mode-needed/m-p/3933459#M382829 esther.tan 2019-10-02T03:01:51Z