Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1379
Views
0
Helpful
6
Replies

Expired Call manager & unity connection certificates

Ren Stark
Level 1
Level 1

‎06-11-2019 05:30 AM

Hello,

 

There are several expired certificates are exist in the current production call manager and unity connection nodes.

The active certificates are exist but I need to clean up these expired certificates since I keep on getting RTMT alerts for this. 

 

Moreover, I have a plan to migrate this current cucm from physical to virtual server.

Should these expired certificates delete before migration?

Doing migration without deleting the expired certificates will cause any issues?

Can  I simply delete the expired certificates? Should I look into any dependency for these certificates?

 

Please reply with your valuable suggestion

 

 

 

0 Helpful
6 Replies 6

Mike_Brezicky
Cisco Employee
Cisco Employee

‎06-11-2019 05:53 AM

If they are expired, did you regenerate new certificates for these services? Which certs are they

Anytime I do an upgrade, or in your case a migration, I always like to do a clean up round. You should make sure all active certs (CUCM, tomcat, TVS, etc.) are all valid and up to date, then you can safely remove the others. I would do this before migrating anything.
0 Helpful

Jaime Valencia
Cisco Employee
Cisco Employee

‎06-11-2019 07:08 AM

Which certificate?

service certificate?

or x-trust certificates?

HTH

java

if this helps, please rate
0 Helpful

Ren Stark
Level 1
Level 1
In response to Jaime Valencia

‎06-11-2019 07:27 AM

I have regenerated all the service certs(CUCM, tomcat, TVS, etc.), it's all valid now. 

But I do have some x-trust expired certs. I give up to delete the expired certs because I am not sure deleting the expired certs will leads to some issues.

 

How do I verify the trust cert for each node?

 

The cluster got 6 nodes (1 pub, 4 sub & 1 TFTP) so each node should have 5 (x-trust) trust certs for other nodes?

Can I simply delete the expired x-trust certificates?

0 Helpful

Vaijanath Sonvane
VIP Alumni
VIP Alumni
In response to Ren Stark

‎06-11-2019 08:21 AM

Hi,

First, identify which certificates are expired or no longer required for your system.  CUCM base Certificates cannot be deleted (i.e. CallMananger, IPSEC, Tomcat, CAPF, TVS). but any trust certificate can be deleted. 

As per attached document, please follow the section Deleting Expired Trust Certificates. I had similar issue in the past and I received this document from Cisco TAC. 

 

Please rate helpful posts and if applicable mark "Accept as a Solution".
Thanks, Vaijanath S.

Preview file
130 KB
0 Helpful

Ren Stark
Level 1
Level 1
In response to Vaijanath Sonvane

‎06-12-2019 03:54 AM

Thanks for the details. 

 

Is it mandatory to restart the CUCM services after deleting expired certificates?

 

Is it mandatory to clean up the expired CUCM certificate before starting the migration process?

0 Helpful

Vaijanath Sonvane
VIP Alumni
VIP Alumni
In response to Ren Stark

‎06-12-2019 04:06 AM - edited ‎06-12-2019 05:22 AM

Is it mandatory to restart the CUCM services after deleting expired certificates?
Yes, it is mandatory to restart CUCM services.

Is it mandatory to clean up the expired CUCM certificate before starting the migration process?
It is best practice to clean up the expired CUCM certificates before doing any upgrade or migration.

 

 

 

Please rate helpful posts and if applicable mark "Accept as a Solution".
Thanks, Vaijanath S.

0 Helpful
Customers Also Viewed These Support Documents