03-30-2016 02:02 AM - edited 03-17-2019 06:24 AM
Hello,
we have a CUCM 8.x cluster (made by 3 servers).
We have noticed that the self-signed certificates are going to expire.
Since we have seen that there are several certificates to regenerate (tomcat, ipsec, CallManager, CAPF, TVS), and since we have read around that we could have issues with the devices interacting with the CUCM (first of all the phones, but even other servers, Cisco and not) if we don't regenerate them correctly, we would like to know the right procedure to regenerate them on all the servers, and to update them on the various devices.
TIA and regards.
Solved! Go to Solution.
03-30-2016 02:50 AM
Hi,
One important thing you need to keep in mind is that never regenerate TVS and TFTP certs together. It will create issues with phone registration as the phone wont be able to trust anything.
If you need to regenerate both TVS and TFTP certificates, regenerate the TVS certificate, wait for the phone restarts to complete, and then regenerate the TFTP certificate separately.
You can refer the below link for the procedures:
http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/200199-CUCM-Certificate-Regeneration-Renewal-Pr.html#anc11
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/8_6_1/secugd/sec-861-cm/secusbd.html#wp1093961
HTH
Rajan
03-30-2016 05:11 AM
Have you uploaded the CM tomcat certs on the servers you are referring to?? i.e., UCCX, CUP and CUC. If no, then no need to worry. If yes, then after regenerating the required certs on CM simply download the tomcat and tomcat trust certificate from CM and upload them on these servers as tomcat-trust.
Regards
Deepak
03-30-2016 02:50 AM
Hi,
One important thing you need to keep in mind is that never regenerate TVS and TFTP certs together. It will create issues with phone registration as the phone wont be able to trust anything.
If you need to regenerate both TVS and TFTP certificates, regenerate the TVS certificate, wait for the phone restarts to complete, and then regenerate the TFTP certificate separately.
You can refer the below link for the procedures:
http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/200199-CUCM-Certificate-Regeneration-Renewal-Pr.html#anc11
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/8_6_1/secugd/sec-861-cm/secusbd.html#wp1093961
HTH
Rajan
03-30-2016 03:35 AM
Hello Rajan,
thank you for your answer.
What about the interaction of the CUCM with other servers (e.g: CUCCX, CUP, CUC, ...)?
Do we have to follow special procedures to update the CUCM certificates eventually present on these servers?
Regards.
03-30-2016 05:11 AM
Have you uploaded the CM tomcat certs on the servers you are referring to?? i.e., UCCX, CUP and CUC. If no, then no need to worry. If yes, then after regenerating the required certs on CM simply download the tomcat and tomcat trust certificate from CM and upload them on these servers as tomcat-trust.
Regards
Deepak
03-30-2016 05:29 AM
Thanks Deepak for your answer.
03-31-2016 12:43 AM
Hello Deepak,
we have noticed that on each particular CUCM node there are several "...-trust" certificates related to the other CUCM nodes of the cluster.
Are these certificates automatically renewed when we regenerate them on the other CUCM nodes, or do we have to manually download them from the other CUCM nodes and upload them on the particular CUCM node?
Furthermore, do we have to restart any service when we upload the certificates as "...-trust" certificates?
Thanks and regards.
03-31-2016 12:53 AM
Certificates will automatically be renewed on the other CM node within the cluster, there is no manual intervention required for that. You can also verify that by simply opening the PEM file for example of Publisher Tomcat certificate and look for Serial number, now go on the other node and match the Serial Number.
Furthermore, do we have to restart any service when we upload the certificates as "...-trust" certificates?
Yes ideally you will need to restart the related services such as tomcat if you are uploading Tomcat-Trust etc.
Regards
Deepak
03-31-2016 01:41 AM
Hello Rajan,
above you have told us that the TVS and the TFTP certificates have to be regenerated separately.
But what could you tell us about the other certificates (i.e., Tomcat, IPSec, CAPF)?
Do we have to follow special procedures or a spcecific order to regenerate them, or can they be regenerated in any order, without specific procedures.
In other words, considering that we have 3 CUCM nodes in our cluster, how would you regenerate these certificates?
Thanks and regards.
03-31-2016 01:44 AM
In the same server, do not regenerate TFTP and TVS at the same time which means first regenerate one, restart the required service and wait for all the phones to reset. Once all phones are up then regenerate the other one. Other certs you could regenerate together and then restart services.
Regarding 2 cucm nodes, i would suggest you to do it one by one with phone resets.
HTH
Rajan
03-31-2016 03:17 AM
Hello Rajan,
so, since we have 3 CUCM nodes in our cluster, the phones will have reset 6 times, i.e. 2 certificates (TFTP and TVS) x 3 nodes; no further phone resets are needed for the other 3 certificates (i.e., Tomcat, IPSec, CAPF); is it right?
Regards.
03-31-2016 03:47 AM
Yes. As mentioned in the document I have shared earlier "If you plan to regenerate multiples certificates you must regenerate the TFTP certificate last. Wait for the possible phone restarts to complete before you regenerate the TFTP certificate. You might need to manually delete the ITL File from all Cisco Unified IP Phones, if you do not follow this procedure."
Certs like tomcat and Ipsec dont need phone restarts. One other thing, is your cluster a secure one ? YOu could check in the enterprise parameters whether cluster security mode is set to 0 or 1. If it is one, then its a secure cluster and you need to take more precautions for CAPF and you need to run CTL client. If it is 0, then no need to worry about CAPF as it wont be used.
HTH
Rajan
03-31-2016 03:57 AM
Hello Rajan,
it's a non-secure cluster, since this parameter is set to 0.
Regards.
06-12-2016 03:13 AM
Hello Rajan,
we still haven't regenerated the certificates on our CUCM 8.5(1) cluster, because we want to better document on this subject.
Unfortunately, the more we document on it, the less we understand it! :-(
In fact, every guide that we have found (included the ones that you have linked) contains a different procedure to regenerate the certificates:
For example, regarding the TVS certificate, after the certificate regeneration:
We are very confused... We don't think that every procedure can be correct (or maybe yes?)...
So, could you help us to find the best/right procedure to regenerate the certificates, please?
Remember that we have a CUCM 8.5(1) cluster with 3 nodes.
Thanks again and regards.
04-13-2016 08:36 AM
Hello, can somebody tell me the impact on phones when certificates expires?
For simplicity assume a single publisher with just ip phones registered and no other services
Thanks
04-13-2016 09:24 AM
I suggest you watch this video, which covers all that
http://tools.cisco.com/pecx/login?URL=offeringDetail?offeringId=513132__1458608487138
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide