Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1956
Views
0
Helpful
2
Replies

CAPF Certificate Operation: INSTALL/UPGRADE FAILURE

Steven Duncan
Level 4
Level 4

‎11-23-2015 02:25 PM - last edited on ‎03-25-2019 08:37 PM by Community Manager

So,

First, I would like to say that this is my first time attempting to use Security-Profiles.  I am interested in implementing them to use with Collab-Edge (MRA).

Currently running (CUCM)10.5.2.12901-1

Currently configured for Mixed Mode

I have created Call-Manager/Call-Manager Trust, Tomcat/Tomcat-trust, and am currently using the 'self-signed' CAPF/CAPF-trust, and have sense reissued CTL files.

I have created Security profiles using the collab-edge FQDN naming scheme, and am currently attempting to test with the following two profiles for CSF and TCT devices (BOT devices later...)

CSF Phone Security Profile config:

*************

Name: CSF.secure-phone.domain.com

Description: CSF Secure phone profile

Device Security mode: Encrypted

Transport type: TLS

TFTP Encrypted config: YES

Authentication mode: By Existing Certificate (Precedence to LSC)

Key Size (Bits): 2048

SIP Phone Port: 5061

TCT Phone Security Profile Config:

********************

Name: TCT.secure-phone.domain.com

Description: TCT (IPHONE) Phone Security Profile Encrypted (TLS)

Nonce Validity Time: 600

Device Security Mode: Encrypted

Transport Type: TLS]

ENABLE Digest Authentication: NO

TFTP Encrypted Config: YES

Exclude Digest Credentials in Configuration File: NO

Authentication Mode: By Existing Certificate (precidence to LSC)

Key Size: 2048

SIP Phone Port: 5061

=======================================================

From the CSF device:

**********************

Certification Authority Proxy Function (CAPF) Information...

+When attempting to Install/Upgrade *Certificate Operation*:

Authentication Mode: By Existing Certificate (precedence to LSC)

Key Size: 2048

Result: "Certificate Operation Status: Upgrade Failed: Invalid Credentials"

I was going perform the following steps after hours:

+Create new CSR

+Sign new CAPF with Internal CA

+Sign new CAPF-TRUST with Internal CA

+Reissue CTL

+Restart Servers (or CUCM/TFTP Services) *Sometimes I just prefer restarting Servers...

Can any one help shed some light on what I'm missing here (why phones won't take the CAPF certificate Operation?

Also, What's the deal with the 'operation completes by'?... is there any way to push the config immediately?

Any Help is welcomed!


Thanks,

-Steve

[edit: 'CUCM version clarification']

Labels:
0 Helpful
2 Replies 2

Jaime Valencia
Cisco Employee
Cisco Employee

‎11-23-2015 03:02 PM

This is the Video Over IP community, you might want to move this to a relevant area.

HTH

java

if this helps, please rate
0 Helpful

Steven Duncan
Level 4
Level 4
In response to Jaime Valencia

‎11-23-2015 06:36 PM

Moving it.  I was multi-tasking, and misread 'video' for 'voice'..

0 Helpful
Customers Also Viewed These Support Documents