I am on CUCM 10.5. My certificates will be expiring for my call managers and presence servers. I did all these certificates initially with a trusted CA, I think Geotrust. Rarely use Jabber anymore BUT if I let these certificates expire now, will the functionality of the phone system (everything outside of jabber) stop working in any way? I'm thinking that I might get an error in Jabber connecting to my presence and call manager BUT I don't use Jabber anymore and I just want the phone system itself to function. Seems like it shouldn't cause an issue because the certificates are mostly just Tomcat certificates for web interface? Thinking to re-architect my whole setup but don't want to buy all the certificates if I don't have to.
Thanks in advance
Short answer is, you should NEVER let your certificates expire and leave them in that state.
If you don't want to use a public CA, you can use either self-signed or private CA.
In either case, you would still need to perform the certificate exchange as required by your configuration to keep the trust between servers.
If you use MRA, you most definitely want a public CA to sign your EXP-E certificate.
Jabber documentation explains what certificates are used by Jabber to connect to each server.
Thanks for your response. I know, the answer is obvious that you shouldn't let the certs expire BUT I was wondering what actually happens when this occurs. Do the call managers need these certificates to encrypt traffic between themselves? I was thinking the Tomcat certificates were for web/jabber traffic only and the call managers used self signed certificates to communication between themselves.
As Java wrote it’s not advisable to let any of the certificates expire. If you don’t have a need for public signed certificate, renew it as self-signed or use an internal CA to sign it.