Showing results for 
Search instead for 
Did you mean: 
Community Manager

Ask the Expert: Certificate Management in Cisco Unified Communications Manager (CUCM)

Welcome to this Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and any ask questions about how to manage  certificates in Unified Communications Manager with Cisco expert  Vasanth Kumar.

Ask questions from Tuesday February 8 to Friday February 19, 2016

Cisco Unified Communications Manager is the IP based call control solution which provides comprehensive solution for enterprise collaboration needs, Cisco UCM integrates with various other applications and third party deployments. Securing the communication and integration with other application is essential to keep the enterprise business secure.

This session will focus on answering question regarding managing the certificates in Unified Communications Manager, best practices , how to proactively mitigate issues with certificate expiration and common deployment issues related to third party CA signed certificate and troubleshooting Multi-Server SAN related issues.


Vasanth Kumar is a Technical Support engineer in the Cisco Technical Assistance Center in Cisco India.  He is expert on Cisco Unified Communication Manager and he has actively working on Voice Gateways and IM and Presence server. He has been helping customers as well as Cisco partners with installation, configuration and troubleshooting UC products ranging from small to large scale deployment for five years. Kumar  holds a bachelor's degree in Electronics and Communication from DCE a college affiliated to Anna University Chennai, CCIE in Voice and Collaboration (#39543) he has also achieved RHCE and VCP certification.

Vasanth might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Unified Communications Applications Community

Find other

**Ratings Encourage Participation! **
Please be sure to rate the Answers to Questions


I hope you and your love ones are safe and healthy
Monica Lluis
Community Manager Lead

Hi Gordon

There are three services which triggers a cluster phone restart ( quick refresh on the screen ). These are TVS, CAPF, CCM+TFTP. Please find the screenshot displaying the warning. This warning has been addded in latest 10.5(2) su release onwards.

Please note that if you open a certificate and try to re-generate it, the warning / pop-up is not displayed.

I have opened a defect to ensure parity with the warning across all methods of certificate re-generation.




Hello Vasanth,

Quick question: Can I set my cluster to mixed mode without the us of a USB token? If so, how can I do it?

Thank you,



To configure the CUCM for secure RTP you have to follow these steps

  1. Run this command on CUCM Publisher by SSH to OS Admin “utils ctl set-cluster mixed-mode”
  2. Please restart all CUCM servers in the cluster.
  3. Please go to the system>>>> Phone Security >>>> Find the phone model you want to secure
  4. Copy the default non secure profile.
  5. Change the name to secure profile
  6. Change the Device Security Mode to Encrypted
  7. Check the box which says TFTP Encrypted Config
  8. Select the Authenticated mode to “by Existing certificate (Precedence to LSC) recommended by cisco.
  9. Set the encryption bit to 2048


Now apply the configured file to the phone

  1. Select the phone where you want to apply this profile
  2. On the phone page select Device Security Profile as secure profile
  3. In Certification Authority Proxy Function (CAPF) Information select “Certificate Operation” as Install and upgrade
  4. Save and reset the phone.
  5. Phone will restart for 4-5 times to download the certificate and encrypted configuration.


To test if the RTP is secure, apply secure profile to the 2 phones and make a call between them and once connected you will see lock sign next to timer

View solution in original post


In step 2 after setting the cluster to mixed mode. You can restart only CCM and TFTP service on nodes where it's activated.

Please refer to the following article for more details:




Thank you for sharing the steps (+5)

when we have to use the USB token?



Insted of step 2 you need to use CTL Client and USB token to build CTLFile. Rest of the steps remain same.

Following gives you practical guide to achieve it:

Ensure that the CTL Provider service is running on all nodes in the cluster and you have obtained USB-Tokens.

Insert the first USB token and install the "Safenet Authentication Client Tools" and "CTL Client" which can be downloaded from CCM Administrator > Application > Plugins Menu.

Subsequently you can run the CTL Client application which will fetch the CAPF, CCM+TFTP

from all notes and build a trust list. This CTL file will later be signed by the private key stored in the USB token and which makes it important to keep the tokens safe. It's mandatory to use two USB token during initial setup for backup purpose if one of the token is damaged or misplaced.

Which is why tokenless method was introduced to avoid such issues.





Thank you for your support

So, what is the advantage of using USB Token? Is it provide more complex encryption? Or what exactly?



I'm glad you asked this.

Since the USB token are used to sign the CTLFile.tlv it provided a resiliency interms of having a backup token when one is lost. Having multiple SAST token entries in CTLFile.

However with tokenless implemenation there was caveat because the CTLFile.tlv contained only one entry of Soft token (Callmanager.pem) of publisher.

However this is addressed in the 11.0 release where CTLFile.tlv contains two "System Administrator Security Token" to provide the resiliency.

Hence if you are running a 10.x release I would prefer USB token over Tokenless approach. With 11.0 onwards I would recommend using tokenless method for implementing mixed mode cluster.




Thank you too much for your support.

Can I say I can configure SRTP for our customers without any additional requirements? All what I need is CUCM Restricted version?


In order to have SRTP between device(s) need to be secured (Encrypted Signalling).

Encrypted signalling allows you to share the crypto keys securely to encode/decode RTP stream.

CUCM Restricted version allows you to enable Mixed Mode which enable devices to register securely to UCM.

Mixed mode is enabled by running CTL Client or Tokenless CLI in (10.x onwards).

I'm glad I could help.




When we say Mixed Mode? does it mean to have both encrypted and non encrypted communications?

For example, some phones are configured to use secured device profile and some non secured?


Yes, in Mixed-mode you can have both secure and non secure device registration.




Hello Vasanth,

Thank you for your time and support. I have a very basic question. I did not add any certificate before to CUCM and I have to deal with certificates now. So, Can I know the disadvantages that I may face if I add a certificate for Tomcat or other for CUCM?


Hi ,

It's a very Intresting one.There is no harm in adding certificate to the trust-store if that's what you are trying to achieve. But, adding unnecessary certificate will overwhelm the administrator in managing them at times of troubleshooting. You can also upload CA signed server certificate for which you need to have CA certificate added to the respective trust store for ex:- tomcat-trust.

Could you please be more specific on what you are trying to achieve by uploading certificates to UCM?




Thank you for your answer

Just want to add Tomcat and XMPP, to disable the pop-up certificates for Jabber clients