02-10-2020 11:34 PM
Hello,
we have a CUCM 10.5(2) cluster.
We have noticed on the OS Administration of the Publisher that the "ITLRecovery" certificate has expired.
What is the correct procedure to renew this certificate and to deploy it to the phones?
TIA and regards.
02-11-2020 04:18 AM
02-11-2020 04:35 AM
Hello Mike,
thank you for the link; we will have a look at it.
We also have noticed that we have 2 expired "...-trust" certificates on the Publisher, both with Common Name "CAPF-........".
They seem to be "orphan", i.e. we cannot find the corresponding non-"...trust" certificates on any node (we have 2 nodes).
So, can they be safely deleted?
Thanks again and regards.
02-11-2020 04:54 AM
Hello Raziel
You can try regenerate the certificate one by one on all cluster node and restart TVS service. Please follow the procedure as mentioned below:
Note: The ITLRecovery Certificate is used when devices lose their trusted status. The certificate appears in both the ITL and CTL (when CTL provider is active).
If devices lose their trust status, you can use the command utils itl reset localkey for non-secure clusters and the command utils ctl reset localkey for mix-mode clusters. Read the Security guide for your Call Manager version to become familiar with how the ITLRecovery certificate is used and the process required to recover trusted status.
If the cluster has been upgraded to a version that supports a key length of 2048 and the clusters server certificates have been regenerated to 2048 and the ITLRecovery has not been regenerated and is currently 1024 key length, the ITL recovery command will fail and the ITLRecovery method will not be able to be used.
02-11-2020 07:01 AM
Hello Prassha,
actually, it seems that every node has these valid "CAPF" certificates:
Is this analysis correct?
Furthermore, the Publisher has the following additional expired "CAPF" certificates:
Maybe, when the "CAPF" certificates have been regenerated on the Publisher, the old ones have not been automatically deleted.
So, if our hypothesis is correct, can we delete these last 2 certificates, since the other ones mentioned above seem to be the correct ones?
Thanks and regards.
02-11-2020 09:45 AM
02-11-2020 10:04 AM
Hello Mike,
since we are not the ones that have made the initial setup, how can we quickly check if this deployment is using the CAPF feature or not?
Thanks and regards.
02-13-2020 08:47 AM
Hello,
any suggestion about this question, please?
Regards.
02-13-2020 09:35 AM
If your cluster is in mixed mode you're using CAPF certs. You endpoints would use CTL instead of ITL.
02-13-2020 09:49 AM
02-13-2020 09:56 AM
Hello Mike,
yes, it is activated and running.
But it could have been activated at the beginning of the deployment in bulk with all the other services, so we are not sure that it is actively used.
Regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide