Certificate consolidation questions

gene · ‎01-17-2018

I have read several different sources about the certificate consolidation process. I am still unclear about a couple of few of the points.

We have 2 large 10.5 clusters. We are moving phones from one to the other and we want to be able to roll back if need be without any ITL issues.

1. When doing the consolidation should I pick TFTP or All? I have seen different sources have differing answers.

2. After the consolidation is finished I plan to import to both clusters so that phones should move freely in either direction. Is that right?

3. After the consolidation does the TVS and TFTP need to be restarted on all servers in the cluster or only certain ones?

4. Does this process cause the phones to reset? If not doe the phones need to reset in order to update the ITL file before attempting to move them to another cluster?

Thanks for any assistance!

Chris Deren · ‎01-17-2018

Rather than consolidating the certs just exchange the call manager certs between the clusters, you can do it in following fashion:

download <hostname>-callmanager.pem from each node on both clusters

and upload each cert as Phone-SAST-Trust on the other cluster's publisher

you should not need to restart any services, but if phones dont transition between clusters restart

Trust Verification Service (TVS) service.

gene · ‎01-18-2018

Chris,

Thanks for your reply. This is the first I have heard of this solution. It does not seem to be documented by Cisco anywhere.

I would prefer to stay in the mainstream of Cisco recommended solutions.

Jaime Valencia · ‎01-18-2018

Certificate consolidation does the exact same thing Chris told you, behind the scenes it just exports all the certificates to the central repository, and once you import them, it places each certificate in the appropriate -trust store.

it just automates the procedure so you don't have to download each individual certificate and then also upload every single certificate to the -trust store.

EDIT: You can see it here as I do it

https://youtu.be/skZvyVw9j0g

HTH

java

if this helps, please rate

Rafael Carvalho · ‎06-25-2018

The cluster must have connectivity between each others to consolidate works ?
or can I export the certs from one cluster then consolidate they in another cluster, without connectivity?

Chris Deren · ‎06-25-2018

Consolidation is taking place on the SFTP server, so you need to export all certs to SFTP, then perform he consolidation from any of the CUCM clusters, and then import to each cluster. So, no direct connection between clusters is necessary.

Rafael Carvalho · ‎06-25-2018

This is confusing... I saw a different point of view ...

"Remember that the IP Phones verify every downloaded file against either the ITL file, or against a TVS server that exists in the ITL file. If the phone needs to move to a new cluster, the ITL file the new cluster presents must be trusted by the old cluster's TVS certificate store."

https://supportforums.cisco.com/t5/collaboration-voice-and-video/migrating-ip-phones-between-clusters-with-cucm-8-and-itl-files/ta-p/3108501

Chris Deren · ‎06-25-2018

I responded to your cert consolidation question not how ITL certs work. In any case in order for phones to migrate successfully between clusters the CallManager certs need to be imported into Phone-SAST trusts between clusters, you can do this either manually or using the consolidation method which is easy. CUCM do not need to talk to each other at any point for this.

Rafael Carvalho · ‎07-18-2018

I moved some Cisco 3905 phones to other cluster and I didn't need to make certificate consolidation neither remove the security configurations. Is there something different in this phone model ?

Jaime Valencia · ‎07-18-2018

That model doesn't support/use ITL/SBD, that's why you were able to move it without doing anything else.

HTH

java

if this helps, please rate

Rafael Carvalho · ‎07-18-2018

Thank you for the quick reply !

Chris Deren · ‎07-18-2018

Not all phones have ITL certs, i.e. gen1 phones such as 7940/60, and this one.

Rafael Carvalho · ‎07-18-2018

Thank you Chris !

mark.carroll · ‎11-13-2018

Jaime i have hit the same bug as your video, can you direct me as to which certs should be manually moved between clusters?

Jaime Valencia · ‎11-13-2018

In the video it shows what certificates can be exported for certificate consolidation at 6:14, Tomcat, TFTP and CAPF.

The bug in the video description also provides this information, did you review it?

HTH

java

if this helps, please rate