Showing results for 
Search instead for 
Did you mean: 
Community Manager

Ask the Expert: Certificate Management in Cisco Unified Communications Manager (CUCM)

Welcome to this Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and any ask questions about how to manage  certificates in Unified Communications Manager with Cisco expert  Vasanth Kumar.

Ask questions from Tuesday February 8 to Friday February 19, 2016

Cisco Unified Communications Manager is the IP based call control solution which provides comprehensive solution for enterprise collaboration needs, Cisco UCM integrates with various other applications and third party deployments. Securing the communication and integration with other application is essential to keep the enterprise business secure.

This session will focus on answering question regarding managing the certificates in Unified Communications Manager, best practices , how to proactively mitigate issues with certificate expiration and common deployment issues related to third party CA signed certificate and troubleshooting Multi-Server SAN related issues.


Vasanth Kumar is a Technical Support engineer in the Cisco Technical Assistance Center in Cisco India.  He is expert on Cisco Unified Communication Manager and he has actively working on Voice Gateways and IM and Presence server. He has been helping customers as well as Cisco partners with installation, configuration and troubleshooting UC products ranging from small to large scale deployment for five years. Kumar  holds a bachelor's degree in Electronics and Communication from DCE a college affiliated to Anna University Chennai, CCIE in Voice and Collaboration (#39543) he has also achieved RHCE and VCP certification.

Vasanth might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Unified Communications Applications Community

Find other

**Ratings Encourage Participation! **
Please be sure to rate the Answers to Questions


I hope you and your love ones are safe and healthy
Monica Lluis
Community Manager Lead

Accepted Solutions

To configure the CUCM for secure RTP you have to follow these steps

  1. Run this command on CUCM Publisher by SSH to OS Admin “utils ctl set-cluster mixed-mode”
  2. Please restart all CUCM servers in the cluster.
  3. Please go to the system>>>> Phone Security >>>> Find the phone model you want to secure
  4. Copy the default non secure profile.
  5. Change the name to secure profile
  6. Change the Device Security Mode to Encrypted
  7. Check the box which says TFTP Encrypted Config
  8. Select the Authenticated mode to “by Existing certificate (Precedence to LSC) recommended by cisco.
  9. Set the encryption bit to 2048


Now apply the configured file to the phone

  1. Select the phone where you want to apply this profile
  2. On the phone page select Device Security Profile as secure profile
  3. In Certification Authority Proxy Function (CAPF) Information select “Certificate Operation” as Install and upgrade
  4. Save and reset the phone.
  5. Phone will restart for 4-5 times to download the certificate and encrypted configuration.


To test if the RTP is secure, apply secure profile to the 2 phones and make a call between them and once connected you will see lock sign next to timer

View solution in original post


Hi Vasanth,

I'm unable to upload CA signed certificate which I got after submitting the CSR generated by UCM, what could be the issue?



Hi Jackson,

It could happen because of two potential issues:

1. Either a new CSR was regenerated after submitting a old CSR. This would regenerate the Public(CSR)/Private key and hence the certificate which you got from CA does not contain the new publick key. You would have to submit the CSR again to successfully upload the certificate.

2. It's also possible that the CSR has been modified by CA in a way that it does not contain the same number of SAN(Subject Alternate Names) entries, this would also result in failure to upload. The fix would be to not add any additional SAN to CSR when submitting to a CA.




Hi Team,

Please if someone can answer this.

MSE is appearing as offline/ Unreachable from Prime Infrastructure 

we need to put user/ pass again in prime for MSE and it again start appearing reachable.

MSE running on Version

Prime Infrastructure running on 2.0

With Regards



Hi Binish,

Please reach out to the right forum (Cisco Prime or MSE) to get your query answered.

This session is focussing on UCM Certificate Management and queries related to that.





Can we say every time we press Generate CSR, it means the CUCM will generate new Public/Private keys and then all old certificates are invalid and we have to add new certificates?


Yes, every time you Generate CSR the keys will change. By default the cucm will take the latest keys and will try to match with those when upload.


But in this case how CUCM will encrypt and decrypt if the keys are changed?

I will just try to clarify my question. 

Jabber client download the certificate from CUCM. In this case jabber will use CUCM's Public key to encrypt the traffic with CUCM.

If I create new CSR (new Public and Private keys) then how the CUCM will decrypt the traffic coming from Jabber? I suppose Jabber will use the old certificate (Public Key) to encrypt.


Once the signed certs are uploaded CUCM uses those for all the HTTP communication and will continue to use those irrespective of the generate new CSR button has been clicked.

but now if you give your old csr and ask the CA to sign the cert that cert will not be valid.

The encryption and decryption is only for the HTTP traffice that when open the user page you dont get those warnings or when you use it with the JABBER the signed certs will not give you pop up to accept the certs etc.

CUCM is little intelligent that he know that he has just pressed the generate new CSR button but not uploaded the cert, so I will continue to use the old certs and keys for my functionalities till he uploads the new cert


Thanks :)


If the CSR is not signed in the first case then, moment you generate new CSR jaber will download that again and will prompt you for the new CERT validity 

but if the cert is signed it continue using the old keys and signed cert to encrypt and decrypt


Just to add what ever is already signed and uploaded will not be affected if you press generate CSR button after that



The exsisting Public/Private key pair is not broken of the server when a new CSR is generated.

So there is no harm in generating a CSR unless the CA signed CER is uploaded for the matching CSR.




Thank you for your clarification. So, it's much better to avoid pressing Generate CSR after getting a signed certificate.


Are there any tech notes or documents stating what certificates automatically forces cluster wide phone reboots when changed?

The CUCM documentation just says that replacing a certificate MAY cause devices to reboot. My anecdotal evidence suggests it's when some certs on TFTP servers are replaced.


Please rate all helpful posts.
Content for Community-Ad