Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
510
Views
0
Helpful
4
Replies

CUCM 8.6 - Certificate expiration Notification

Chris Bailey
Level 1
Level 1

‎06-14-2016 06:20 AM - edited ‎03-17-2019 07:14 AM

I'm getting alerts that these certs are expiring on our CUCM cluster (1 pub 1 sub)

We are running CUCM 8.6 Cluster Security Mode is set to 0

Is it as simple as hitting regenerate for each cert in OS administration or do we need to do this in a certain order?  

I found some guide online which mentions rebooting phones so ITL file can be updated - is this still required if running in non secure mode? 

------------------------------------------------------------------------------------------------------------------

Alarm to indicate that Certificate has Expired or Expires in less than seven days:

Unit:CallManager Type:own-cert Expiration

Unit:tomcat Type:own-cert Expiration

Unit:CAPF Type:own-cert Expiration

Unit:ipsec Type:own-cert Expiration

Unit:TVS Type:own-cert Expiration

Unit:CAPF-trust Type:own-cert 

Unit:tomcat-trust Type:own-cert 

Unit:tomcat-trust Type:own-cert 

Unit:CallManager-trust Type:own-cert 

Unit:CallManager-trust Type:own-cert 

Unit:CallManager-trust Type:own-cert 

Unit:ipsec-trust Type:own-cert 

Labels:
0 Helpful
4 Replies 4

Leszek Wojnarski
Cisco Employee
Cisco Employee

‎06-14-2016 06:39 AM

Hi Chris,

Please refer to:

http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/200199-CUCM-Certificate-Regeneration-Renewal-Pr.html

When it comes to phones restart:

"Caution: Regenerations of certificates triggers an automatic update of the ITL files within the cluster, which triggers a cluster-wide soft phone reset to allow phones to trigger an update of their local ITL. This is focused on CAPF and CallManager certificate regenerations, but can occur with other certificate stores within CUCM, such as Tomcat."

Leszek

0 Helpful

Chris Bailey
Level 1
Level 1
In response to Leszek Wojnarski

‎06-15-2016 06:33 AM

Thanks for the replies. 

is it important to also delete the expiring certificates after we have regenerated the new ones? 

0 Helpful

Leszek Wojnarski
Cisco Employee
Cisco Employee
In response to Chris Bailey

‎06-15-2016 06:36 AM

If you don't then you will be getting alerts, but leaving those expired certs will not break anything.

Leszek

0 Helpful

Jaime Valencia
Cisco Employee
Cisco Employee

‎06-14-2016 07:44 AM

Unless you use the prepare rollback parameter, ITL is always in use since 8.x, and that is completely independent of whether you're using a secure cluster, or not. Thus the name of SBD (security by default).

Read very carefully the doc Leszek provided, as not following the right order, or doing all the servers/certificates at the same time, will cause all of your phones to have ITL mismatch and they will require you to delete the ITL file for them to work again.

HTH

java

if this helps, please rate
0 Helpful
Customers Also Viewed These Support Documents