Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new blog
711
Views
0
Helpful
0
Comments

UCCX 9.0.2.11002-27

farhanegal77
Level 1
Level 1
‎06-11-2018 11:17 AM

I have uccx cert expiring soon and I need to find out the steps to regenerate/renew below certs. I already renew CUCM certs by using below steps, but not sure if I need to use same doc to regenerate UCCX certs?

> tomcat.pen

>ipsec.pem

>intelligencecenter-srvr.pem

>intelligencecenter-srvr.jms.pem

CUCM Versions 8.X > - Certificate Regeneration/Deletion

Note:
* When regenerating certificates, be advised that this action should be performed after hours due
to the requirement of restarting services and rebooting phones in the cluster.
** Monitoring Phone Registration via RTMT tool is highly recommended.
*** It is recommended that you reboot ALL phones prior to Certificate Regeneration in order for
all phones to have the latest ITL – and may help identify phones with current ITL issues.
Monitoring Endpoints
Real Time Monitoring Tool (RTMT)
 Login to the publisher using RTMT
o Select the Voice/Video Tab
o Select Device Summary
 Here you will see the total number of registered end-points and how many to each
node.
 Please monitor during endpoint resets to ensure registration prior to moving to next
certificate.
……….
Is your Cluster in Mixed Mode?
 System > Enterprise Parameters
To regenerate expiring or expired certificates please follow the procedures below.
Tomcat Certificate:
Identify if you are using a third party certificates.
1) Log into Cisco Unified OS Administration Page
a. Security
b. Certificate Management
c. Find
i. Observe from Description column if tomcat states “Self-signed certificate generated by system”. If Tomcat is third-party signed, follow the link provided and perform those steps after the Tomcat regeneration.
ii. Third Party Signed - https://supportforums.Cisco.com/docs/DOC-6119
2) Open a GUI for each server in your cluster starting with the publisher, then each subscriber/TFTP in line and navigate to Cisco Unified OS Administration > Security > Certificate Management
3) On all of the GUI pages beginning with the publisher Click “Find” showing all the certificates.
a) Click on the “tomcat.pem” Certificate.
b) Once open Click “Regenerate” Wait until you see “Success” then close pop-up or go back to “Find/List”.
4) Continue with subsequent Subscribers; following the same procedure in step 2 thru 3 and complete on all subscribers in your cluster
5) After all Nodes have regenerated the tomcat certificate, restart the tomcat service on all the nodes beginning with the publisher then followed by the subscribers.
a) To restart tomcat you will need to open a CLI to each node and enter the following command, "utils service restart Cisco Tomcat".
IPSEC Certificate:
Note:
IPSEC certificates will affect the DRF master and local which deals with backup and restore.
1) Open a GUI for each server in your cluster starting with the publisher, then each subscriber/TFTP in
line and navigate to Cisco Unified OS Administration > Security > Certificate Management
2) On all of the GUI pages beginning with the publisher Click “Find” showing all the certificates.
a) Click on the “IPSEC.pem” Certificate.
b) Once open Click “Regenerate” Wait until you see “Success” then close pop-up or go back to
“Find/List”.
3) Continue with subsequent Subscribers; following the same procedure in step 2 and complete on all
subscribers in your cluster
4) After all Nodes have regenerated the IPSEC certificate, The following services will need to be
restarted in the following order:
a) Log into Publisher’s Cisco Unified Serviceability
i) Cisco Unified Serviceability > Tools > Control Center - Network Services
ii) On the Publisher only, restart Cisco DRF Master Service.
iii) Once the service restart completes, restart Cisco DRF Local Service on the Publisher.
iv) Continuing with the subscribers, restart Cisco DRF Local Service.
CAPF Certificate:
Note:
Is Cluster in Mixed Mode
Ensure that the cluster is not in a secure cluster mode.
1) Navigate to the Cisco Unified CM Administration > System > Enterprise Parameters.
a) Section “Security Parameters” Check Cluster Security Mode and identify if it is set to “0” or “1”
for Cluster Secure Mode. If the value if 0, the cluster is not in mixed-mode. If it is “1”, the cluster
is in mixed-mode and you will need to update the CTL file. Ensure you complete this section
before the Call Manager certificate due to needing to update the CTL in next section.
b) Open a GUI for each server in your cluster starting with the publisher, then each
subscriber/TFTP in line and navigate to Cisco Unified OS Administration > Security > Certificate
Management
2) On all of the GUI pages beginning with the publisher Click “Find” showing all the certificates.
a) Click on the “CAPF.pem” Certificate.
b) Once open Click “Regenerate” Wait until you see “Success” then close pop-up or go back to
“Find/List”.
3) Continue with subsequent Subscribers; following the same procedure in step 3 and complete on all
subscribers in your cluster
4) After all Nodes have regenerated the CAPF certificate, The following services will need to be
restarted in the following order:
a) Log into Publisher’s Cisco Unified Serviceability
i) Cisco Unified Serviceability > Tools > Control Center - Feature Services
ii) Beginning with the Publisher, restart Cisco Certificate Authority Proxy Function Service ONLY
where running.
iii) Cisco Unified Serviceability > Tools > Control Center - Network Services
iv) Beginning with the Publisher then continuing with the subscribers, restart Cisco Trust
Verification Service (TVS).
v) Cisco Unified Serviceability > Tools > Control Center - Feature Services
vi) Beginning with the Publisher then continuing with the subscribers, restart Cisco Tftp Service
only where running.
vii) Reboot ALL Phones
(1) Cisco Unified CM Administration > System > Enterprise Parameters
(a) “Reset” you will see a pop-up warning “You are about to reset all devices in the
system. This action cannot be undone. Continue?” Click OK, then click “Reset”
Phones will now upload new ITL during their reset.
CallManager Certificate:
Warning:
DO NOT regenerate CallManager.PEM and TVS.PEM certificates at the same time. This will cause
an unrecoverable mismatch to the installed ITL on the phone to the newly generated ITL in CUCM
causing the need to remove the ITL from ALL phones in the cluster. At the end of this section, a
reboot of ALL phone will be required.
1) Open a GUI for each server in your cluster starting with the publisher, then each subscriber/TFTP in
line and navigate to Cisco Unified OS Administration > Security > Certificate Management
2) On all of the GUI pages beginning with the publisher Click “Find” showing all the certificates.
a) Click on the “CallManager.pem” Certificate.
b) Once open Click “Regenerate” Wait until you see “Success” then close pop-up or go back to
“Find/List” (Different depending on your Call Manager Version).
3) Continue with subsequent Subscribers; following the same procedure in step 2 and complete on all
subscribers in your cluster
4) After all Nodes have regenerated the CallManager certificate, The following services will need to be
restarted in the following order:
a) If you are in Mixed Mode Only and have already regenerated the CAPF – Update the CTL
before proceeding Token - Tokenless
b) Log into Publisher’s Cisco Unified Serviceability
i) Cisco Unified Serviceability > Tools > Control Center - Feature Services
ii) Beginning with the Publisher then continuing with the subscribers, restart Cisco
CallManager Service where running.
iii) Cisco Unified Serviceability > Tools > Control Center - Feature Services
iv) Beginning with the Publisher then continuing with the subscribers, restart Cisco CTIManager
Service only where running.
v) Cisco Unified Serviceability > Tools > Control Center - Network Services
vi) Beginning with the Publisher then continuing with the subscribers, restart Cisco Trust
Verification Service (TVS).
vii) Cisco Unified Serviceability > Tools > Control Center - Feature Services
viii) Beginning with the Publisher then continuing with the subscribers, restart Cisco Tftp Service
only where running.
ix) Reboot ALL Phones
(1) Cisco Unified CM Administration > System > Enterprise Parameters
(a) “Reset” you will see a pop-up warning “You are about to reset all devices in the
system. This action cannot be undone. Continue?” Click OK, then click “Reset”
(2) Phones will now upload new updated ITL during their reset.
TVS Certificate:
Note:
DO NOT regenerate CallManager.PEM and TVS.PEM certificates at the same time. This will cause
an unrecoverable mismatch to the installed ITL on the phone to the newly generated ITL in CUCM
causing the need to remove the ITL from ALL phones in the cluster.
1) Open a GUI for each server in your cluster starting with the publisher, then each subscriber/TFTP in
line and navigate to Cisco Unified OS Administration > Security > Certificate Management
2) On all of the GUI pages beginning with the publisher Click “Find” showing all the certificates.
a) Click on the “TVS.pem” Certificate.
b) Once open Click “Regenerate” Wait until you see “Success” then close pop-up or go back to
“Find/List”.
3) Continue with subsequent Subscribers; following the same procedure in step 2 and complete on all
subscribers in your cluster
4) After all Nodes have regenerated the TVS certificate, The following services will need to be restarted
in the following order:
a) Log into Publisher’s Cisco Unified Serviceability
i) Cisco Unified Serviceability > Tools > Control Center - Network Services
ii) On the Publisher only, restart Cisco Trust Verification Service.
iii) Once the service restart completes, continuing with the subscribers and restart Cisco Trust
Verification Service.
iv) Beginning with the Publisher then continuing with the subscribers, restart Cisco Tftp Service
only where running.
v) Reboot ALL Phones
(1) Cisco Unified CM Administration > System > Enterprise Parameters
(a) “Reset” you will see a pop-up warning “You are about to reset all devices in the
system. This action cannot be undone. Continue?” Click OK, then click “Reset”
vi) Phones will now upload new ITL during their reset.
Deleting Expired Trust Certificates
Note:
Identify the expired or certificates no longer required for your system. Base Certificates cannot be
deleted (i.e. CallMananger, IPSEC, Tomcat, CAPF, TVS). Any trust certificate can be deleted. Follow
procedures below.
1) Log into Call Manager Publisher – Cisco Unified Serviceability page
a. Tools > Control Center – Network Services
i. From the drop down select the CUCM Publisher
ii. Stop Certificate Change Notification
iii. Repeat for every Call Manager node in your cluster
iv. If you have an Instant Message and Presence (IMP/CUPS) Server
v. Stop Platform Administration Web Services
2) Open a GUI to each sever and log into Unified OS Administration page (ALL Servers Same Time)
a. Navigate to Security - Certificate management – All Servers
b. Find the expired *-trust certificates. (10.0 and higher you can filter by Expiration. Below
10.0 you will need to identify the specific certificates manually – or via the RTMT alerts if
received)
c. You may see the same trust certificate in multiple nodes. It must be deleted individually
from each node.
d. Select the trust certificate to be deleted (depending on your version you will either get a
pop-up or you will be navigated to the certificate on same page)
i. Select Delete (you will get a pop-up that begins with “you are about to
permanently delete this certificate…”
ii. Select OK – The pop-up will go away, and the GUI will refresh
iii. Repeat the process for every trust certificate to be deleted
3) Upon Completion of deleting the trust certificates, you will need to restart services per the
certificates deleted – you do not need to reboot phones in this section.
a. Tomcat-trust: restart Tomcat Service via command line (See Tomcat Section)
b. CAPF-trust: restart Cisco Certificate Authority Proxy Function (see CAPF Section)
c. CallManager-trust: CallManager Service/CTIManager (See CallManager Section)
d. IPSEC-trust: DRF Master/DRF Local (See IPSEC Section)
4) Restart Services Previously Stopped
a. Tools > Control Center – Network Services
b. From the drop down select the CUCM Publisher
c. Start Certificate Change Notification
d. Repeat for every Call Manager node in your cluster
e. If you have an Instant Message and Presence (IMP/CUPS) Server
f. Start Platform Administration Web Services

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Popular Articles
Customers Also Viewed These Support Documents