We are currently working on regenerating all our call manager certificates. Our CUCM version is 9.X. After following the process most of our 8841 and 7841 SIP phones did not register back to CUCM. Out of 3000 phones in our cluster 800 phones show "Rejected". Please let me know the process we followed below is accurate. We need to do the same on 3 different clusters.
We followed the process below:
Verify Security by Default on the Cluster
Avoidance of ITL issues is important, because ITL issues can cause many features to fail or the phone will refuse to abide by any changes to configurations. ITL issues can be avoided in these two ways.
Utilize the "Prepare Cluster for Rollback to pre 8.0" Feature
This feature "blanks" out your ITL on all servers, so the phones will trust any TFTP server. Phone services (for example, extension mobility) will NOT work when this parameter is set to True. However, users will be able to continue to make and receive basic phone calls.
Note: A change to this parameter causes ALL PHONES TO RESET.
Once this feature is set, all TFTP servers need to be restarted ( in order to supply the new ITL) and all phones need to be reset in order to force them to request the new "blank" ITL. Once the certificate changes are completed and all necessary services have been restarted, this feature can be set back to "False", TFTP service restarted, and the phone reset (so the phone can obtain the valid ITL file). Then all features will continue to work as they did previously.
Please follow the steps mentioned below to avoid any ITL issue.
1. Prior to starting - On the CLI within an SSH session to each and every CM server…run "show itl”
2. Set the enterprise parameter Prepare Cluster for Rollback to pre-8.0 to True. All phones reset at this step. Cannot be controlled.
3. The phones download an ITL file that contains empty TVS and TFTP certificate sections.
4. Restart TVS and TFTP on all nodes.
5. On the CLI within an SSH session to each and every CM server...run "show itl" ...it should look much different and items should be missing
6. Let the phones re-register to the cluster.
7. Make all your changes using the document I've provided and regenerate the certs that you've just deleted. No need to stop the Cisco Certificate Expiry Monitor and Cisco Certificate Change Notification service as mentioned in the link below.
1. After all the phones have successfully registered to the cluster, set the enterprise parameter Prepare Cluster for Rollback to pre-8.0 to False.
2. Restart TVS and TFTP.
3. Restart the TFTP service one more time and reset all the phones so that the new ITL file can be downloaded.
Please let me know if you have any questions or concerns.
Procedure is basically the same, you just don't get a pop-up window, you can watch the video and it should be enough reference to do it on your cluster.
There has been a lot of confusion on this topic. I've heard of conflicting reports from TAC on this process in regards to the use of the Rollback parameter. One thing I've seen is that the documented process is likely wrong and the Rollback to Pre-8.0 parameter should NOT be used. Doing this causes the TVS references to be blanked out or invalidated on the ITL, which will then negate it's availability as a fallback mechanism. Leaving the TVS mechanism in place and only regenerating the callmanager certificates, then being generous with service and phone resets, should be safe as long as the phones don't have an ITL problem today. If you read the Security by Default post that I've pasted below, you will see why keeping TVS intact is the safest approach.
Another good reference for certificate questions is a PDI video that's been made available. It's very long, but if you skip to the middle of it, they talk specifically about certificates on CUCM. If you have access to PEC, you may find it by searching for Certificate Management dated March 16, 2016.
I hope this information is helpful.