cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3166
Views
10
Helpful
10
Replies

CUCM 10.5(2): how to correctly renew an expired "ITLRecovery" certificate?

raziel1978kain
Level 1
Level 1

Hello,

 

we have a CUCM 10.5(2) cluster.

 

We have noticed on the OS Administration of the Publisher that the "ITLRecovery" certificate has expired.

 

What is the correct procedure to renew this certificate and to deploy it to the phones?

 

TIA and regards.

10 Replies 10

Mike_Brezicky
Cisco Employee
Cisco Employee
Please check out the cert regeneration document. ITL Recovery is listed here:
https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/214231-certificate-regeneration-process-for-cis.html#anc24

Generally as long as your Call Manager TFTP, all TVS are in good state, regenerating ITL Recovery on its own should be painless.

Hello Mike,

 

thank you for the link; we will have a look at it.

 

We also have noticed that we have 2 expired "...-trust" certificates on the Publisher, both with Common Name "CAPF-........".

 

They seem to be "orphan", i.e. we cannot find the corresponding non-"...trust" certificates on any node (we have 2 nodes).

 

So, can they be safely deleted?

 

Thanks again and regards.

Prassha
Level 1
Level 1

Hello Raziel

 

You can try regenerate the certificate one by one on all cluster node and restart TVS service. Please follow the procedure as mentioned below:

 

  1. Navigate to each server in your cluster (in seperate tabs of your web browser) begin with the publisher, then each subscriber.  Navigate to Cisco Unified OS Administration > Security > Certificate Management > Find
    • Select the ITLRecovery pem Certificate.
    • Once open select Regenerate and wait until you see the Success pop-up then close pop-up or go back and select Find/List
  2. Continue with subsequent Subscribers; follow the same procedure in step 2 and complete on all subscribers in your cluster
  3. After all Nodes have regenerated the ITLRecovery certificate, services will need to be restarted in the order as follows:
    • If you are in Mixed Mode – Update the CTL before you proceed Token - Tokenless
    • Log into Publisher's Cisco Unified Serviceability
      • Navigate to Cisco Unified Serviceability > Tools > Control Center - Network Services
      • On the publisher select Restart on Cisco Trust Verification Service.
    •  Once the service restart completes, continue with the subscribers and restart the Cisco Trust Verification Service
  4. Reboot all Phones
    • Cisco Unified CM Administration > System > Enterprise Parameters
    • Select Reset then you will see a pop-up with the statement You are about to reset all devices in the system. This action cannot be undone. Continue?,select OK and then select Reset
  5. Phones will now upload the new ITL/CTL while they reset.

Note: The ITLRecovery Certificate is used when devices lose their trusted status. The certificate appears in both the ITL and CTL (when CTL provider is active).
If devices lose their trust status, you can use the command utils itl reset localkey for non-secure clusters and the command utils ctl reset localkey for mix-mode clusters. Read the Security guide for your Call Manager version to become familiar with how the ITLRecovery certificate is used and the process required to recover trusted status.
If the cluster has been upgraded to a version that supports a key length of 2048 and the clusters server certificates have been regenerated to 2048 and the ITLRecovery has not been regenerated and is currently 1024 key length, the ITL recovery command will fail and the ITLRecovery method will not be able to be used.

Regards
Prassha3
Rate if you find this helpful

Rate if you find this helpful or Mark Solutions as Accepted

Hello Prassha,

 

actually, it seems that every node has these valid "CAPF" certificates:

 

  • 1 "CAPF" certificate (from itself);
  • 1 "CAPF-trust" certificate (from itself);
  • 2 "CallManager-trust" certificates (1 from itself and 1 from the other node).

Is this analysis correct?

 

Furthermore, the Publisher has the following additional expired "CAPF" certificates:

 

  • 1 "CAPF-trust" certificate (from itself);
  • 1 "CallManager-trust" certificate (from itself).

Maybe, when the "CAPF" certificates have been regenerated on the Publisher, the old ones have not been automatically deleted.

 

So, if our hypothesis is correct, can we delete these last 2 certificates, since the other ones mentioned above seem to be the correct ones?

 

Thanks and regards.

Are you actively using the CAPF feature - if not, these certs do nothing.
Still maintain the CAPF itself, but many of the CAPT-trust-abcdefg are held incise an old phone is still using an old CAPF cert. If you know you are not using the feature, you can delete the expired ones.

Regardless, make sure your non trust certs are regenerated one at a time, restart the corresponding service, then verify phones registration. Then you can move to the next service if needed. Never do more than one at a time, or you risk phones losing authentication with CUCM.

Hello Mike,

 

since we are not the ones that have made the initial setup, how can we quickly check if this deployment is using the CAPF feature or not?

 

Thanks and regards.

Hello,

 

any suggestion about this question, please?

 

Regards.

If your cluster is in mixed mode you're using CAPF certs. You endpoints would use CTL instead of ITL.

 

Go to CM Serviceability > Network Services and see if Cisco Certificate Authority Proxy Function service is activated, and running.

Hello Mike,

 

yes, it is activated and running.

 

But it could have been activated at the beginning of the deployment in bulk with all the other services, so we are not sure that it is actively used.

 

Regards.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: