cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

178
Views
0
Helpful
6
Replies
Beginner

Expired Call manager & unity connection certificates

Hello,

 

There are several expired certificates are exist in the current production call manager and unity connection nodes.

The active certificates are exist but I need to clean up these expired certificates since I keep on getting RTMT alerts for this. 

 

Moreover, I have a plan to migrate this current cucm from physical to virtual server.

Should these expired certificates delete before migration?

Doing migration without deleting the expired certificates will cause any issues?

Can  I simply delete the expired certificates? Should I look into any dependency for these certificates?

 

Please reply with your valuable suggestion

 

 

 

6 REPLIES 6
Enthusiast

Re: Expired Call manager & unity connection certificates

If they are expired, did you regenerate new certificates for these services? Which certs are they

Anytime I do an upgrade, or in your case a migration, I always like to do a clean up round. You should make sure all active certs (CUCM, tomcat, TVS, etc.) are all valid and up to date, then you can safely remove the others. I would do this before migrating anything.
Highlighted
Hall of Fame Cisco Employee

Re: Expired Call manager & unity connection certificates

Which certificate?

service certificate?

or x-trust certificates?

HTH

java

if this helps, please rate
Beginner

Re: Expired Call manager & unity connection certificates

I have regenerated all the service certs(CUCM, tomcat, TVS, etc.), it's all valid now. 

But I do have some x-trust expired certs. I give up to delete the expired certs because I am not sure deleting the expired certs will leads to some issues.

 

How do I verify the trust cert for each node?

 

The cluster got 6 nodes (1 pub, 4 sub & 1 TFTP) so each node should have 5 (x-trust) trust certs for other nodes?

Can I simply delete the expired x-trust certificates?

Rising star

Re: Expired Call manager & unity connection certificates

Hi,

First, identify which certificates are expired or no longer required for your system.  CUCM base Certificates cannot be deleted (i.e. CallMananger, IPSEC, Tomcat, CAPF, TVS). but any trust certificate can be deleted. 

As per attached document, please follow the section Deleting Expired Trust Certificates. I had similar issue in the past and I received this document from Cisco TAC. 

 

Please rate helpful posts and if applicable mark "Accept as a Solution".
Thanks, Vaijanath S.
Beginner

Re: Expired Call manager & unity connection certificates

Thanks for the details. 

 

Is it mandatory to restart the CUCM services after deleting expired certificates?

 

Is it mandatory to clean up the expired CUCM certificate before starting the migration process?

Rising star

Re: Expired Call manager & unity connection certificates

Is it mandatory to restart the CUCM services after deleting expired certificates?
Yes, it is mandatory to restart CUCM services.

Is it mandatory to clean up the expired CUCM certificate before starting the migration process?
It is best practice to clean up the expired CUCM certificates before doing any upgrade or migration.

 

 

 

Please rate helpful posts and if applicable mark "Accept as a Solution".
Thanks, Vaijanath S.
CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards