cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1377
Views
0
Helpful
6
Replies

Expired Call manager & unity connection certificates

Ren Stark
Level 1
Level 1

Hello,

 

There are several expired certificates are exist in the current production call manager and unity connection nodes.

The active certificates are exist but I need to clean up these expired certificates since I keep on getting RTMT alerts for this. 

 

Moreover, I have a plan to migrate this current cucm from physical to virtual server.

Should these expired certificates delete before migration?

Doing migration without deleting the expired certificates will cause any issues?

Can  I simply delete the expired certificates? Should I look into any dependency for these certificates?

 

Please reply with your valuable suggestion

 

 

 

6 Replies 6

Mike_Brezicky
Cisco Employee
Cisco Employee
If they are expired, did you regenerate new certificates for these services? Which certs are they

Anytime I do an upgrade, or in your case a migration, I always like to do a clean up round. You should make sure all active certs (CUCM, tomcat, TVS, etc.) are all valid and up to date, then you can safely remove the others. I would do this before migrating anything.

Jaime Valencia
Cisco Employee
Cisco Employee

Which certificate?

service certificate?

or x-trust certificates?

HTH

java

if this helps, please rate

I have regenerated all the service certs(CUCM, tomcat, TVS, etc.), it's all valid now. 

But I do have some x-trust expired certs. I give up to delete the expired certs because I am not sure deleting the expired certs will leads to some issues.

 

How do I verify the trust cert for each node?

 

The cluster got 6 nodes (1 pub, 4 sub & 1 TFTP) so each node should have 5 (x-trust) trust certs for other nodes?

Can I simply delete the expired x-trust certificates?

Hi,

First, identify which certificates are expired or no longer required for your system.  CUCM base Certificates cannot be deleted (i.e. CallMananger, IPSEC, Tomcat, CAPF, TVS). but any trust certificate can be deleted. 

As per attached document, please follow the section Deleting Expired Trust Certificates. I had similar issue in the past and I received this document from Cisco TAC. 

 

Please rate helpful posts and if applicable mark "Accept as a Solution".
Thanks, Vaijanath S.

Thanks for the details. 

 

Is it mandatory to restart the CUCM services after deleting expired certificates?

 

Is it mandatory to clean up the expired CUCM certificate before starting the migration process?

Is it mandatory to restart the CUCM services after deleting expired certificates?
Yes, it is mandatory to restart CUCM services.

Is it mandatory to clean up the expired CUCM certificate before starting the migration process?
It is best practice to clean up the expired CUCM certificates before doing any upgrade or migration.

 

 

 

Please rate helpful posts and if applicable mark "Accept as a Solution".
Thanks, Vaijanath S.