cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
738
Views
0
Helpful
6
Replies

Call Manager expire certificate

jfrodriguez23
Level 1
Level 1

Hello,


We have an issue with somes ip phones in our Call Manager cluster. Call Manager version is 

8.6.2.23052-1. Some certificates of Call Manager are expired, and for this reason, somes ip phones not register in Call Manager.

 

Expired certificates:

- Tomcat
- Ipsec
- CAPF
- CallManager
- TVS

 

The cluster is in Mixed Mode" (Cluster Security Mode = 1). We do not have the USB token. The USB tokens are missing. For this reason, we will be problems with CAPF and CTL certificates, especially. We do not have the CTL password too.


IP phones 7911, 7921, 7925, 7941, 7942 y 7962 have Security Profile configured (Standard SCCP Secure Profile MIC 1024).


We need to regenerate all certificate for a correct register of all ip phones.
Could you help us with one the correct procedure (version 8.x without token CTL) for to regenetare these five certificates for this version?


If we regenetare the certificates, be will necesary to delete the old certificates in all iphones (manually) for a correct register in call MAnager with the new certificates?

 

Thanks in advance.

 

6 Replies 6

Rajan
VIP Alumni
VIP Alumni
In any case, you need to rerun the CTL after renewing the expired certificates so that the CTL file will have signatures of all new certs. Since you dont have the CTL token, you can regenerate all expired certs without any issues if you are ready to run the cluster in nonsecure mode.

If you are ok with that, you can disable security for the CUCM cluster and use the "Prepare cluster for pre CM-8.0 rollback" Enterprise Parameter so that all phones will get a blank ITL file and trust everything. YOu can regenerate all expired certs and restart required services. Once you complete this for all servers, you can change the enterprise parameter back for the phones to get new ITL file to trust and register.

HTH
Rajan
Pls rate all useful posts by clicking the star below

How can to disable security for the CUCM cluster?

 

https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/118892-config-cucm-00.html

 

I have seen te procedure por 10.X, but not for 8.X. That procedure say: The situation gets more complex when a version earlier than 10.x of CUCM is in use. If you lose or forget the password of one of the tokens, you can still use the other one to run the CTL client with current CTL files. It is highly recommended to obtain another eToken and add it to the CTL file as soon as possible for the sake of redundancy. If you lose or forget the passwords for all the eTokens listed in your CTL file, you need to get a new pair of eTokens and run a manual procedure as explained here.

 

I do not have more information.

Regards

 

 

How can to disable security for the CUCM cluster?

 

https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/118892-config-cucm-00.html

 

I have seen te procedure por 10.X, but not for 8.X. That procedure say: The situation gets more complex when a version earlier than 10.x of CUCM is in use. If you lose or forget the password of one of the tokens, you can still use the other one to run the CTL client with current CTL files. It is highly recommended to obtain another eToken and add it to the CTL file as soon as possible for the sake of redundancy. If you lose or forget the passwords for all the eTokens listed in your CTL file, you need to get a new pair of eTokens and run a manual procedure as explained here.

 

I do not have more information.

Regards

 

Jaime Valencia
Cisco Employee
Cisco Employee

There's plenty of reference available related to certificate regeneration and ITL that contain instructions and info on this, have you gone through any of it?

HTH

java

if this helps, please rate

Not yet.  We want to be sure the correct procedure because this version is OOS.

We have seen procedures for 10.x version, not 8.x version.

It's the exact same thing, all that documentation was simply created at a later date.

As you lost your tokens, you will need to switch the security profile of all your devices to non-encrypted and keep it that way as you have no means to update the CTL. Once they're all set to non-encrypted, you can re-generate your certificates.

HTH

java

if this helps, please rate