cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1441
Views
35
Helpful
21
Replies
raziel78kain
Explorer

CUCM 8.x: self-signed certificates expiring

Hello,

we have a CUCM 8.x cluster (made by 3 servers).

We have noticed that the self-signed certificates are going to expire.

Since we have seen that there are several certificates to regenerate (tomcat, ipsec, CallManager, CAPF, TVS), and since we have read around that we could have issues with the devices  interacting with the CUCM (first of all the phones, but even other servers, Cisco and not) if we don't regenerate them correctly, we would like to know the right procedure to regenerate them on all the servers, and to update them on the various devices.

TIA and regards.

2 ACCEPTED SOLUTIONS

Accepted Solutions
Rajan
Collaborator

Hi,

One important thing you need to keep in mind is that never regenerate TVS and TFTP certs together. It will create issues with phone registration as the phone wont be able to trust anything.

If you need to regenerate both TVS and TFTP certificates, regenerate the TVS certificate, wait for the phone restarts to complete, and then regenerate the TFTP certificate separately.

You can refer the below link for the procedures:

http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/200199-CUCM-Certificate-Regeneration-Renewal-Pr.html#anc11

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/8_6_1/secugd/sec-861-cm/secusbd.html#wp1093961

HTH

Rajan

View solution in original post

Have you uploaded the CM tomcat certs on the servers you are referring to?? i.e., UCCX, CUP and CUC. If no, then no need to worry. If yes, then after regenerating the required certs on CM simply download the tomcat and tomcat trust certificate from CM and upload them on these servers as tomcat-trust.

Regards

Deepak

View solution in original post

21 REPLIES 21
Rajan
Collaborator

Hi,

One important thing you need to keep in mind is that never regenerate TVS and TFTP certs together. It will create issues with phone registration as the phone wont be able to trust anything.

If you need to regenerate both TVS and TFTP certificates, regenerate the TVS certificate, wait for the phone restarts to complete, and then regenerate the TFTP certificate separately.

You can refer the below link for the procedures:

http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/200199-CUCM-Certificate-Regeneration-Renewal-Pr.html#anc11

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/8_6_1/secugd/sec-861-cm/secusbd.html#wp1093961

HTH

Rajan

Hello Rajan,

thank you for your answer.

What about the interaction of the CUCM with other servers (e.g: CUCCX, CUP, CUC, ...)?

Do we have to follow special procedures to update the CUCM certificates eventually present on these servers?

Regards.

Have you uploaded the CM tomcat certs on the servers you are referring to?? i.e., UCCX, CUP and CUC. If no, then no need to worry. If yes, then after regenerating the required certs on CM simply download the tomcat and tomcat trust certificate from CM and upload them on these servers as tomcat-trust.

Regards

Deepak

Thanks Deepak for your answer.

Hello Deepak,

we have noticed that on each particular CUCM node there are several "...-trust" certificates related to the other CUCM nodes of the cluster.

Are these certificates automatically renewed when we regenerate them on the other CUCM nodes, or do we have to manually download them from the other CUCM nodes and upload them on the particular CUCM node?

Furthermore, do we have to restart any service when we upload the certificates as "...-trust" certificates?

Thanks and regards.

Certificates will automatically be renewed on the other CM node within the cluster, there is no manual intervention required for that. You can also verify that by simply opening the PEM file for example of Publisher Tomcat certificate and look for Serial number, now go on the other node and match the Serial Number.

Furthermore, do we have to restart any service when we upload the certificates as "...-trust" certificates?

Yes ideally you will need to restart the related services such as tomcat if you are uploading Tomcat-Trust etc.

Regards

Deepak

Hello Rajan,

above you have told us that the TVS and the TFTP certificates have to be regenerated separately.

But what could you tell us about the other certificates (i.e., Tomcat, IPSec, CAPF)?

Do we have to follow special procedures or a spcecific order to regenerate them, or can they be regenerated in any order, without specific procedures.

In other words, considering that we have 3 CUCM nodes in our cluster, how would you regenerate these certificates?

Thanks and regards.

In the same server, do not regenerate TFTP and TVS at the same time which means first regenerate one, restart the required service and wait for all the phones to reset