Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
780
Views
0
Helpful
2
Replies

Call Manager 11 Certificate renewal 101 newbie questions

Go to solution
Richard McLoughlin
Level 1
Level 1

‎05-16-2017 09:38 AM - edited ‎03-17-2019 10:20 AM

Apologies if this has been done to death and I've missed it but having read/watched the the following, I still have some unanswered questions:-

http://www.cisco.com/c/en/us/support/docs/unified-communications/unified...

http://docwiki.cisco.com/wiki/Certificates_FAQ

https://supportforums.cisco.com/video/12627626/how-regenerate-self-signe...

and finally and excellent video at https://www.youtube.com/watch?v=FIqh3rSIUmA all posted by Jamie Valencia

My situation is slightly different in that my Tomcat cert is no longer self signed but signed by our internal Microsoft CA. The certificate has also been generated as SHA1 (now deprecated) and due to expire on the 02/06/17. With reference to methods detailed in Jamie's video, can I use the same process to update from SHA1 to SHA256 by specifying both for the signature and signature hash algorithms when I generate a new CSR?

I also plan to use the multi-server (SAN) functionality to update all members of the CUCM cluster in one fell swoop both for tomcat and cup-xmpp certs. Is there any reason I shouldn't do this?

Finally, will updating the tomcat cert have any impact on our IP phones ITL files as I'm still unclear about this? Our CUCM cluster is running in unsecure mode (mode 0) so no CTL to worry about.

The one thing I am certain about is the need to ensure that the DRF backup is good before I attempt any of this:-(

Thanks in advance

Rich

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jaime Valencia
Cisco Employee
Cisco Employee

‎05-16-2017 10:33 AM

Yes, you can change from SHA1 to SHA256 without any problem, that can be changed according to the security policies from your company, or what the public CA offers.

No, there is no problem using multi-san, the only drawback I know of, is that if you restore a server without using a DRS backup, the certificates will not sync to that new server. The more reason to always have a good DRS backup.

No, Tomcat is not used for ITL, you can see that from the show itl samples in my certs FAQ and in your own cluster using that command.

If you are going to change any other ITL related certs, make sure to review the ITL docs to avoid any issues

http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-callmanager/116232-technote-sbd-00.html

HTH

java

if this helps, please rate

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jaime Valencia
Cisco Employee
Cisco Employee

‎05-16-2017 10:33 AM

Yes, you can change from SHA1 to SHA256 without any problem, that can be changed according to the security policies from your company, or what the public CA offers.

No, there is no problem using multi-san, the only drawback I know of, is that if you restore a server without using a DRS backup, the certificates will not sync to that new server. The more reason to always have a good DRS backup.

No, Tomcat is not used for ITL, you can see that from the show itl samples in my certs FAQ and in your own cluster using that command.

If you are going to change any other ITL related certs, make sure to review the ITL docs to avoid any issues

http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-callmanager/116232-technote-sbd-00.html

HTH

java

if this helps, please rate
0 Helpful

Go to solution
Richard McLoughlin
Level 1
Level 1
In response to Jaime Valencia

‎05-17-2017 06:27 AM

Thanks very much for your valued response Jaime. Keep up the excellent work with the videos.

Best.

Richard

0 Helpful
Customers Also Viewed These Support Documents