Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1909
Views
35
Helpful
21
Replies

CUCM 8.x: self-signed certificates expiring

Go to solution
raziel78kain
Level 2
Level 2

‎03-30-2016 02:02 AM - edited ‎03-17-2019 06:24 AM

Hello,

we have a CUCM 8.x cluster (made by 3 servers).

We have noticed that the self-signed certificates are going to expire.

Since we have seen that there are several certificates to regenerate (tomcat, ipsec, CallManager, CAPF, TVS), and since we have read around that we could have issues with the devices  interacting with the CUCM (first of all the phones, but even other servers, Cisco and not) if we don't regenerate them correctly, we would like to know the right procedure to regenerate them on all the servers, and to update them on the various devices.

TIA and regards.

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rajan
VIP Alumni
VIP Alumni

‎03-30-2016 02:50 AM

Hi,

One important thing you need to keep in mind is that never regenerate TVS and TFTP certs together. It will create issues with phone registration as the phone wont be able to trust anything.

If you need to regenerate both TVS and TFTP certificates, regenerate the TVS certificate, wait for the phone restarts to complete, and then regenerate the TFTP certificate separately.

You can refer the below link for the procedures:

http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/200199-CUCM-Certificate-Regeneration-Renewal-Pr.html#anc11

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/8_6_1/secugd/sec-861-cm/secusbd.html#wp1093961

HTH

Rajan

View solution in original post

Go to solution
Deepak Rawat
Cisco Employee
Cisco Employee
In response to raziel78kain

‎03-30-2016 05:11 AM

Have you uploaded the CM tomcat certs on the servers you are referring to?? i.e., UCCX, CUP and CUC. If no, then no need to worry. If yes, then after regenerating the required certs on CM simply download the tomcat and tomcat trust certificate from CM and upload them on these servers as tomcat-trust.

Regards

Deepak

View solution in original post

21 Replies 21

Go to solution
Rajan
VIP Alumni
VIP Alumni

‎03-30-2016 02:50 AM

Hi,

One important thing you need to keep in mind is that never regenerate TVS and TFTP certs together. It will create issues with phone registration as the phone wont be able to trust anything.

If you need to regenerate both TVS and TFTP certificates, regenerate the TVS certificate, wait for the phone restarts to complete, and then regenerate the TFTP certificate separately.

You can refer the below link for the procedures:

http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/200199-CUCM-Certificate-Regeneration-Renewal-Pr.html#anc11

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/8_6_1/secugd/sec-861-cm/secusbd.html#wp1093961

HTH

Rajan

Go to solution
raziel78kain
Level 2
Level 2
In response to Rajan

‎03-30-2016 03:35 AM

Hello Rajan,

thank you for your answer.

What about the interaction of the CUCM with other servers (e.g: CUCCX, CUP, CUC, ...)?

Do we have to follow special procedures to update the CUCM certificates eventually present on these servers?

Regards.

0 Helpful

Go to solution
Deepak Rawat
Cisco Employee
Cisco Employee
In response to raziel78kain

‎03-30-2016 05:11 AM

Have you uploaded the CM tomcat certs on the servers you are referring to?? i.e., UCCX, CUP and CUC. If no, then no need to worry. If yes, then after regenerating the required certs on CM simply download the tomcat and tomcat trust certificate from CM and upload them on these servers as tomcat-trust.

Regards

Deepak

Go to solution
raziel78kain
Level 2
Level 2
In response to Deepak Rawat

‎03-30-2016 05:29 AM

Thanks Deepak for your answer.

0 Helpful

Go to solution
raziel78kain
Level 2
Level 2
In response to Deepak Rawat

‎03-31-2016 12:43 AM

Hello Deepak,

we have noticed that on each particular CUCM node there are several "...-trust" certificates related to the other CUCM nodes of the cluster.

Are these certificates automatically renewed when we regenerate them on the other CUCM nodes, or do we have to manually download them from the other CUCM nodes and upload them on the particular CUCM node?

Furthermore, do we have to restart any service when we upload the certificates as "...-trust" certificates?

Thanks and regards.

0 Helpful

Go to solution
Deepak Rawat
Cisco Employee
Cisco Employee
In response to raziel78kain

‎03-31-2016 12:53 AM

Certificates will automatically be renewed on the other CM node within the cluster, there is no manual intervention required for that. You can also verify that by simply opening the PEM file for example of Publisher Tomcat certificate and look for Serial number, now go on the other node and match the Serial Number.

Furthermore, do we have to restart any service when we upload the certificates as "...-trust" certificates?

Yes ideally you will need to restart the related services such as tomcat if you are uploading Tomcat-Trust etc.

Regards

Deepak

Go to solution
raziel78kain
Level 2
Level 2
In response to Rajan

‎03-31-2016 01:41 AM

Hello Rajan,

above you have told us that the TVS and the TFTP certificates have to be regenerated separately.

But what could you tell us about the other certificates (i.e., Tomcat, IPSec, CAPF)?

Do we have to follow special procedures or a spcecific order to regenerate them, or can they be regenerated in any order, without specific procedures.

In other words, considering that we have 3 CUCM nodes in our cluster, how would you regenerate these certificates?

Thanks and regards.

0 Helpful

Go to solution
Rajan
VIP Alumni
VIP Alumni
In response to raziel78kain

‎03-31-2016 01:44 AM

In the same server, do not regenerate TFTP and TVS at the same time which means first regenerate one, restart the required service and wait for all the phones to reset. Once all phones are up then regenerate the other one. Other certs you could regenerate together and then restart services.

Regarding 2 cucm nodes, i would suggest you to do it one by one with phone resets.

HTH

Rajan

Go to solution
raziel78kain
Level 2
Level 2
In response to Rajan

‎03-31-2016 03:17 AM

Hello Rajan,

so, since we have 3 CUCM nodes in our cluster, the phones will have reset 6 times, i.e. 2 certificates (TFTP and TVS) x 3 nodes; no further phone resets are needed for the other 3 certificates (i.e., Tomcat, IPSec, CAPF); is it right?

Regards.

0 Helpful

Go to solution
Rajan
VIP Alumni
VIP Alumni
In response to raziel78kain

‎03-31-2016 03:47 AM

Yes. As mentioned in the document I have shared earlier "If you plan to regenerate multiples certificates you must regenerate the TFTP certificate last. Wait for the possible phone restarts to complete before you regenerate the TFTP certificate. You might need to manually delete the ITL File from all Cisco Unified IP Phones, if you do not follow this procedure."

Certs like tomcat and Ipsec dont need phone restarts. One other thing, is your cluster a secure one ? YOu could check in the enterprise parameters whether cluster security mode is set to 0 or 1. If it is one, then its a secure cluster and you need to take more precautions for CAPF and you need to run CTL client. If it is 0, then no need to worry about CAPF  as it wont be used.

HTH

Rajan

Go to solution
raziel78kain
Level 2
Level 2
In response to Rajan

‎03-31-2016 03:57 AM

Hello Rajan,

it's a non-secure cluster, since this parameter is set to 0.

Regards.

0 Helpful

Go to solution
raziel78kain
Level 2
Level 2
In response to Rajan

‎06-12-2016 03:13 AM

Hello Rajan,

we still haven't regenerated the certificates on our CUCM 8.5(1) cluster, because we want to better document on this subject.

Unfortunately, the more we document on it, the less we understand it! :-(

In fact, every guide that we have found (included the ones that you have linked) contains a different procedure to regenerate the certificates:

  • http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/200199-CUCM-Certificate-Regeneration-Renewal-Pr.html
  • http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/8_5_1/secugd/sec-851-cm/secusbd.html
  • http://www.cisco.com/image/gif/paws/117299/117299-problemsolution-product-00.pdf
  • ...

For example, regarding the TVS certificate, after the certificate regeneration:

  • the technote (the first document linked above) simply states to restart the TVS service;
  • the security guide mentions to restart the TFTP service and reset the phones;
  • the third document linked above states to restart the TVS service, the TFTP service, and reset the phones.

We are very confused... We don't think that every procedure can be correct (or maybe yes?)...

So, could you help us to find the best/right procedure to regenerate the certificates, please?

Remember that we have a CUCM 8.5(1) cluster with 3 nodes.

Thanks again and regards.

0 Helpful

Go to solution
Giovanni Sciotti
Level 1
Level 1

‎04-13-2016 08:36 AM

Hello, can somebody tell me the impact on phones when certificates expires?

For simplicity assume a single publisher with just ip phones registered and no other services

Thanks

0 Helpful

Go to solution
Jaime Valencia
Cisco Employee
Cisco Employee
In response to Giovanni Sciotti

‎04-13-2016 09:24 AM

I suggest you watch this video, which covers all that

http://tools.cisco.com/pecx/login?URL=offeringDetail?offeringId=513132__1458608487138

HTH

java

if this helps, please rate
Customers Also Viewed These Support Documents