01-17-2018 04:43 PM - edited 03-17-2019 11:58 AM
I have read several different sources about the certificate consolidation process. I am still unclear about a couple of few of the points.
We have 2 large 10.5 clusters. We are moving phones from one to the other and we want to be able to roll back if need be without any ITL issues.
1. When doing the consolidation should I pick TFTP or All? I have seen different sources have differing answers.
2. After the consolidation is finished I plan to import to both clusters so that phones should move freely in either direction. Is that right?
3. After the consolidation does the TVS and TFTP need to be restarted on all servers in the cluster or only certain ones?
4. Does this process cause the phones to reset? If not doe the phones need to reset in order to update the ITL file before attempting to move them to another cluster?
Thanks for any assistance!
01-17-2018 04:58 PM
Rather than consolidating the certs just exchange the call manager certs between the clusters, you can do it in following fashion:
download <hostname>-callmanager.pem from each node on both clusters
and upload each cert as Phone-SAST-Trust on the other cluster's publisher
you should not need to restart any services, but if phones dont transition between clusters restart
Trust Verification Service (TVS) service.
01-18-2018 08:04 AM
Chris,
Thanks for your reply. This is the first I have heard of this solution. It does not seem to be documented by Cisco anywhere.
I would prefer to stay in the mainstream of Cisco recommended solutions.
01-18-2018 08:09 AM - edited 01-18-2018 08:11 AM
Certificate consolidation does the exact same thing Chris told you, behind the scenes it just exports all the certificates to the central repository, and once you import them, it places each certificate in the appropriate -trust store.
it just automates the procedure so you don't have to download each individual certificate and then also upload every single certificate to the -trust store.
EDIT: You can see it here as I do it
06-25-2018 12:03 PM
06-25-2018 12:44 PM
Consolidation is taking place on the SFTP server, so you need to export all certs to SFTP, then perform he consolidation from any of the CUCM clusters, and then import to each cluster. So, no direct connection between clusters is necessary.
06-25-2018 12:54 PM
06-25-2018 12:59 PM
I responded to your cert consolidation question not how ITL certs work. In any case in order for phones to migrate successfully between clusters the CallManager certs need to be imported into Phone-SAST trusts between clusters, you can do this either manually or using the consolidation method which is easy. CUCM do not need to talk to each other at any point for this.
07-18-2018 09:14 AM - edited 07-18-2018 09:15 AM
I moved some Cisco 3905 phones to other cluster and I didn't need to make certificate consolidation neither remove the security configurations. Is there something different in this phone model ?
07-18-2018 09:25 AM
That model doesn't support/use ITL/SBD, that's why you were able to move it without doing anything else.
07-18-2018 09:37 AM
Thank you for the quick reply !
07-18-2018 09:31 AM
Not all phones have ITL certs, i.e. gen1 phones such as 7940/60, and this one.
07-18-2018 09:38 AM
11-13-2018 04:49 AM
Jaime i have hit the same bug as your video, can you direct me as to which certs should be manually moved between clusters?
11-13-2018 06:27 AM
In the video it shows what certificates can be exported for certificate consolidation at 6:14, Tomcat, TFTP and CAPF.
The bug in the video description also provides this information, did you review it?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide