cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6162
Views
0
Helpful
9
Replies

Regeneration Of CUCM Certificates

mnice
Level 1
Level 1

Hello All

I hope you guys are all right.

 

I would like your help, if possible, on the procedures for regenerating CUCM certificates, more specifically those indicated below:

 

1- Tomcat Certificate:

    If Tomcat is third-party signed ? I found a link but I didn't understand how to access the interface indicated on the procedure ''Submit CSR to CA'' and the following steps

 

 https://supportforums.Cisco.com/docs/DOC-6119

 

2 - CallManager Certificate:

    If you are in Mixed Mode Only and have already regenerated the CAPF – Update the CTL before proceeding Token - Tokenless ? I didn't understand that expression ''Token - Tokenless'' 

 

FYI : The platform is isolated from the internet or Cisco Cloud.

 

Thank you indvance for your support.

 

Regards.

9 Replies 9

Chris Deren
Hall of Fame
Hall of Fame

If the cert are signed by external CA today and you need to renew them the process is to get new CSR generated from the server, sign it by the external CA and then upload it back on the application along with all root and intermediate certs if those are different. After the certs are uploaded restart appropriate service, i.e. Tomcat for the new cert to take affect.

 

By definition tokenless CTL cert:

Tokenless CTL is a new feature in CUCM Versions 10.0(1) and later that allows the encryption of call signaling and media for IP Phones without the need to use hardware USB eTokens and the CTL Client plugin, which was the requirement in previous CUCM releases.

When the cluster is placed into Mixed mode with the use of the CLI command, the CTL file is signed with the CCM+TFTP (server) certificate of the Publisher node, and there are no eToken certificates present in the CTL file.

 

Prior version required USB token which as of version 10 is no longer required.

https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/118893-technote-cucm-00.html

Ivan Dez
Cisco Employee
Cisco Employee

Hello mnehar

 

In regards your question 1:

 

1- Tomcat Certificate:

The ''Submit CSR to CA''  section of the document you found is related to a Windows Server working as Certificate Authority CA, that is normally used for Lab purposes, in real world, is recommended to use an external CA like GoDaddy or Verisign to sign your certificates although they will charge you for it.

 

Thus the only procedure you need to follow if you decide to use this option is to generate the CSR and get the file to the external CA, they will come back to you with a Certificate chain, including the Root, any intermmidiate certs and the identity certificate which you need to upload into CUCM.

 

On the other hand, if you do not want to get charged, you can use any other internal CA that your company could have, like in this case a Windows Server CA, although you can get security warnings, when using the Tomcat cert with other applications.

 

Regards!
Ivan

Hello Chris and Ivan

 

Thank you for your support and information it's clear.

 

I just checked the certificate descriptions they are self-signed (Attached the capture) ,in my opinion I don't need to download the new CSR and validate it by an external CA.

 

Please check the attached capture and back to me asap, in yellow the certificates that have to be regenerated

 

Thank you again (Chris&Ivan) for your great support.

 

Regards.

NEHAR Mohamed.

Your screen shot did not show the actual certificates, just descriptions.  

In either way if the tomcat cert is self signed then there is no need to get a CSR as with self signed certs if it's expiring you will just need to press the regenerate cert button and restart tomcat services.

Hello Chris

 

Thank you for your return and information

 

Yes I didn't put the names of the certificates because I work in a state company just to avoid publishing the names of the certificates.

 

Last question, For certificates registered with the trust certificate are they self-signed or not? can I regenerate them without using the CSR file extraction method? 

 

Thank you indvance.

 

Regards.

NEHAR Mohamed.

Hello

 

I know I've asked too much 

 

Do I have to regenerate all expired certificates for example (CAPF, CAPF-Trust, IPSEC, IPSEC-Trust .....) or only those with for example (CAPF,IPSEC.....) .

What do you mean by "For certificates registered with the trust certificate"?

 

Self signed certificates are issued by the server itself, so if you click on the certificate and check the "Issuer Name:" and it shows information of the server itself i.e. "L=chicago, ST=il, CN=cucm01, OU=IT, O=NM, C=US" then it's a self signed cert, otherwise if it shows something else, i.e. "VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5" then it's signed by external CA.  The "Type" column on the certificate management page also indicates if the cert is Self-signed or CA-signed. 

Hello Chris

Ok it's clear

 

Now , Do I have to regenerate all expired certificates for example (CAPF, CAPF-Trust, IPSEC, IPSEC-Trust .....) or only those with for example (CAPF,IPSEC.....)

 

Is that the certificates for example CAPF-Trust are part of the CAPF cert , if I regenerate the CAPF certificate.pem ''only'' the CAPF-Trust certificate will regenerate itself ?

 

Regards.

NEHAR Mohamed.

.

Hello

The regeneration of certificates (Tomcat,IPsec,CAPF,CallManager,ITL and TVS) is done successfully now I have trust certificates that expire in 2020 Can I delete them?

 

Regards.

NEHAR Mohamed.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: