Cisco IP Phone shows Certificate Expired and does not register

fgasimzade · ‎06-24-2013

Hello everyone!

We are using Cisco Call Manager 6.1, some phones got unregistered, when I look in debug messages in IP Phone web page, I can see this error

ERR 04:27:43.532340 SECD: EROR:clpState: SSL3 alert read:fatal:certificate expired:<192.168.16.6>

ERR 04:27:43.533242 SECD: EROR:clpState: SSL_connect:failed in SSLv3 read finished A:<192.168.16.6>

ERR 04:27:43.533511 SECD: EROR:clpSetupSsl: ** SSL handshake failed, <192.168.16.6> c:7 s:8

ERR 04:27:43.533717 SECD: EROR:clpSetupSsl: SSL/TLS handshake failed, <192.168.16.6> c:7 s:8

ERR 04:27:43.533917 SECD: EROR:clpSetupSsl: SSL/TLS setup failed, <192.168.16.6> c:7 s:8

ERR 04:27:43.534106 SECD: EROR:clpSndStatus: SSL CLNT ERR, srvr<192.168.16.6>

ERR 04:27:43.534321 SECD: EROR:clpSndStatus: ** SEC-ERR: code:5(SSL_ALERT) subcode:45(EXPIRED_CERT)

ERR 04:27:43.534514 SECD: EROR:clpSndStatus: ** SEC-ERR: desc <certificate expired>

Need to mention that we were using MIC certificates for TLS, if I install LSC certificate on those unregistered phones, they register succesfully

Why do I get those error messages?

Thank you!

Jonathan Schulenberg · ‎06-25-2013

The MIC isn't supposed to be used beyond CAPF enrollment. With that disclaimer out of the way, what does the certificate expiry date say for the following?

The phone. Visible by typing https:// in your browser and viewing the cert (varies by browser)
CallManager service of the phone's primary/secondary/terrtiary CMG node. Visible from OS Administration > Certificate Management

Please remember to rate helpful responses and identify helpful or correct answers.

fgasimzade · ‎06-27-2013

Sorry for a late reply, we had holidays here

So,

1. I could not locate the phones certificate on the web page

2. CUCM certificates are all up to date