I am brushing up my knowledge on the CM certificates and have a few questions I couldn't find answers to online. Could someone help with these please?
1. Since SBD, tftp files are signed by the TFTP Private Key (CallManager.pem). How does this work if there is more than one TFTP on the cluster, which node's private key will be used to sign the files? 2. Which certificates can an endpoint validate against using TVS? I guess the tomcat-trust is the main one, but what other cert stores would TVS reference when attempting validation? 3. With ITLRecovery (utils itl reset localkey/remotekey) the CM re-signs all the ITL files using the Publisthers ITLRecovery.p12 private key. The phone then downloads an ITL signed by this recovery key but how does this help exactly? Are we saying the phone would already have a local copy of the ITLRecovery public key somehow?
Thanks in advance for any insight.
A 1, all nodes have the same call manager certificate. It’s the Pub that will distribute the certificate to the other nodes.
A 2, I don’t think Tomcat certificate has a connection to TVS. Call manager certificate and TVS have a relation with each other.
Please have a look at this document for certificate related information. https://community.cisco.com/t5/collaboration-voice-and-video/cisco-uc-certificates-renewal-guide/ta-p/4077131
Thanks Roger, that clears up item 1.
My question 2) (TVS) was about the design of the TVS service and what it can check against. For sure it can authenticate against the tomcat-trust because this is what happens when someone presses the directories key on a phone. By way of an example, if an endpoint presented a cert to the tvs service on TCP/2445 and that cert was stored in the ipsec-trust, would tvs give the OK?
I just watched the excellent BRKCOL-3501 which helped clarify most of the original questions, so I have provided some brief commentary below.
1. Just going back to question 1) Are you sure it's the publisher's CallManager.pem which signs phone SEPmac.cnf.xml.sgn in SBD?
Ryan Ratliff mentions this around slide 55:
A CTL is signed by the CallManager.pem of the publisher
An ITL is signed by the CallManager.pem of the local TFTP node
And reading through this article on SBD they mention that the configuration file has been signed by the TFTP private key corresponding to CallManager.pem. This would mean that the CallManager.pem from every TFTP node has to be bundled into the ITL and shipped down to the phones.
2. For the TVS question, Ryan mentions around slide 66 that TVS looks up the cert in the DB where the role is set some value supplied by the phone. It's slightly unclear, but it sounds like TVS may only do a lookup against tomcat-trust - I don't think this is documented anywhere.
3. ITLRecovery is bundled into the ITL and it virtually never changes unless someone does a manual regen on the cert. I'm not how this would help you unlock a phone which doesn't trust your CM cluster, so something more to be learned here.