I have read several different sources about the certificate consolidation process. I am still unclear about a couple of few of the points.
We have 2 large 10.5 clusters. We are moving phones from one to the other and we want to be able to roll back if need be without any ITL issues.
1. When doing the consolidation should I pick TFTP or All? I have seen different sources have differing answers.
2. After the consolidation is finished I plan to import to both clusters so that phones should move freely in either direction. Is that right?
3. After the consolidation does the TVS and TFTP need to be restarted on all servers in the cluster or only certain ones?
4. Does this process cause the phones to reset? If not doe the phones need to reset in order to update the ITL file before attempting to move them to another cluster?
Thanks for any assistance!
Rather than consolidating the certs just exchange the call manager certs between the clusters, you can do it in following fashion:
download <hostname>-callmanager.pem from each node on both clusters
and upload each cert as Phone-SAST-Trust on the other cluster's publisher
you should not need to restart any services, but if phones dont transition between clusters restart
Trust Verification Service (TVS) service.
Thanks for your reply. This is the first I have heard of this solution. It does not seem to be documented by Cisco anywhere.
I would prefer to stay in the mainstream of Cisco recommended solutions.
Certificate consolidation does the exact same thing Chris told you, behind the scenes it just exports all the certificates to the central repository, and once you import them, it places each certificate in the appropriate -trust store.
it just automates the procedure so you don't have to download each individual certificate and then also upload every single certificate to the -trust store.
EDIT: You can see it here as I do it
Consolidation is taking place on the SFTP server, so you need to export all certs to SFTP, then perform he consolidation from any of the CUCM clusters, and then import to each cluster. So, no direct connection between clusters is necessary.
I responded to your cert consolidation question not how ITL certs work. In any case in order for phones to migrate successfully between clusters the CallManager certs need to be imported into Phone-SAST trusts between clusters, you can do this either manually or using the consolidation method which is easy. CUCM do not need to talk to each other at any point for this.
I moved some Cisco 3905 phones to other cluster and I didn't need to make certificate consolidation neither remove the security configurations. Is there something different in this phone model ?
That model doesn't support/use ITL/SBD, that's why you were able to move it without doing anything else.
In the video it shows what certificates can be exported for certificate consolidation at 6:14, Tomcat, TFTP and CAPF.
The bug in the video description also provides this information, did you review it?