cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
configure & troubleshoot anyconnect
1044
Views
20
Helpful
20
Replies
Highlighted
Beginner

Certificate consolidation questions

I have read several different sources about the certificate consolidation process. I am still unclear about a couple of few of the points.

 

We have 2 large 10.5 clusters. We are moving phones from one to the other and we want to be able to roll back if need be without any ITL issues.

 

1. When doing the consolidation should I pick TFTP or All? I have seen different sources have differing answers.

 

2. After the consolidation is finished I plan to import to both clusters so that phones should move freely in either direction. Is that right?

 

3. After the consolidation does the TVS and TFTP need to be restarted on all servers in the cluster or only certain ones?

 

4. Does this process cause the phones to reset? If not doe the phones need to reset in order to update the ITL file before attempting to move them to another cluster?

 

Thanks for any assistance!

20 REPLIES 20
Hall of Fame Master

Re: Certificate consolidation questions

Rather than consolidating the certs just exchange the call manager certs between the clusters, you can do it in following fashion:

download <hostname>-callmanager.pem from each node on both clusters

and upload each cert as Phone-SAST-Trust on the other cluster's publisher

you should not need to restart any services, but if phones dont transition between clusters restart 

Trust Verification Service (TVS) service.

Beginner

Re: Certificate consolidation questions

Chris,

 

Thanks for your reply. This is the first I have heard of this solution. It does not seem to be documented by Cisco anywhere.

 

I would prefer to stay in the mainstream of Cisco recommended solutions.

Hall of Fame Cisco Employee

Re: Certificate consolidation questions

Certificate consolidation does the exact same thing Chris told you, behind the scenes it just exports all the certificates to the central repository, and once you import them, it places each certificate in the appropriate -trust store.

it just automates the procedure so you don't have to download each individual certificate and then also upload every single certificate to the -trust store.

 

EDIT: You can see it here as I do it

https://youtu.be/skZvyVw9j0g

HTH

java

if this helps, please rate

Re: Certificate consolidation questions

The cluster must have connectivity between each others to consolidate works ?
or can I export the certs from one cluster then consolidate they in another cluster, without connectivity?
Hall of Fame Master

Re: Certificate consolidation questions

Consolidation is taking place on the SFTP server, so you need to export all certs to SFTP, then perform he consolidation from any of the CUCM clusters, and then import to each cluster. So, no direct connection between clusters is necessary.

Re: Certificate consolidation questions

This is confusing... I saw a different point of view ...

"Remember that the IP Phones verify every downloaded file against either the ITL file, or against a TVS server that exists in the ITL file. If the phone needs to move to a new cluster, the ITL file the new cluster presents must be trusted by the old cluster's TVS certificate store."

https://supportforums.cisco.com/t5/collaboration-voice-and-video/migrating-ip-phones-between-clusters-with-cucm-8-and-itl-files/ta-p/3108501
Hall of Fame Master

Re: Certificate consolidation questions

I responded to your cert consolidation question not how ITL certs work.  In any case in order for phones to migrate successfully between clusters the CallManager certs need to be imported into Phone-SAST trusts between clusters, you can do this either manually or using the consolidation method which is easy. CUCM do not need to talk to each other at any point for this.

Re: Certificate consolidation questions

I moved some Cisco 3905 phones to other cluster and I didn't need to make certificate consolidation neither remove the security configurations. Is there something different in this phone model ?

Hall of Fame Cisco Employee

Re: Certificate consolidation questions

That model doesn't support/use ITL/SBD, that's why you were able to move it without doing anything else.

HTH

java

if this helps, please rate

Re: Certificate consolidation questions

Thank you for the quick reply !

Hall of Fame Master

Re: Certificate consolidation questions

Not all phones have ITL certs, i.e. gen1 phones such as 7940/60, and this one.

Re: Certificate consolidation questions

Thank you Chris !
Beginner

Re: Certificate consolidation questions

Jaime i have hit the same bug as your video, can you direct me as to which certs should be manually moved between clusters?

Hall of Fame Cisco Employee

Re: Certificate consolidation questions

In the video it shows what certificates can be exported for certificate consolidation at 6:14, Tomcat, TFTP and CAPF.

The bug in the video description also provides this information, did you review it?

HTH

java

if this helps, please rate
CreatePlease to create content