11-28-2022 04:47 AM
Hello ,
These tow certs CAP-RTP-001 and CAP-RTP-002 are installed the cucm as callmanager-trust and capf-trust , they will be expired in 2023 . How can we get new / valid certs .
Thanks.
Solved! Go to Solution.
01-06-2023 09:04 PM
I am working for a solution/suggestion/recommendation for this as well. There are several certificate renewal/regeneration documents floating around in addition to the security management guide. Not too much was said about CAP-RTP-001 and CAP-RTP-002 which are expiring on Feb 6, 2023!
Seriously we need to know what these two certificates are/were used for, and only Cisco can answer that question. I downloaded some MIC certificate from the ip phones, they were signed by "Cisco Manufacturing CA" with serial number "6a6967b3000000000003" which has an expiration date of 05/14/2029 (whew).
Will be much appreciated if anybody can share the experience to us.
Much thanks.
-Ben
01-06-2023 11:18 PM
These certificates are used if your system is running in Mixed mode for device secure registration.
01-09-2023 09:19 AM
We are running the Mixed Mode fonction and we are using CAPF with NAC.
We did renew the CAPF certificate last year.
Are those needed to for the mixed mode ?
CAP-RTP-001 & CAP-RTP-001 (callmanager-trust/capf-trust) ?
01-10-2023 04:29 AM
These specific once are used to validate the MIC on the devices when you run in secure mode. As these eventually will expire Cisco provides new certificates that is used for this in updates of CM. That is yet another reason for why it is advisable to keep the system(s) up to date.
01-10-2023 04:34 AM
we are running version 12.5 and everytime we did cucm upgrade, I dont think those certificate change or got updated. Since we are running in mixed mode and those certificate are not renewable, what is the solution for us ?
01-10-2023 06:34 AM
An upgrade typically adds new/other certificates that is used to validate the MIC. If you look at the certificates that you have in your CM you'd see a list of certs used for validation of the MIC on the devices. These once that are expiring can be removed.
01-10-2023 06:46 AM
thank you for your answer. If I look the list of certificate, I see those that are expiring couple years later and they have the same description :
- Cisco_Root_CA_2048
- ACT2_SUDI_CA
- Cisco_Manufacturing_CA_SHA2
- Cisco_Manufacturing_CA
- Cisco_Root_CA_M2
So I guess those were previously installed through an Upgrade and they will be used instead of the one expiring ?
01-10-2023 07:05 AM
That is correct and is my understanding as well. For additional information on this you can have a look at this post that discussed more or less the same thing.
01-10-2023 07:23 AM
great
thank you
01-20-2023 01:00 PM
Hi Roger, I have deleted CAP-RTP-001 certificate from Callmanager-Trust but could not delete it from CAPF-Trust store. Received HTTP Status 404 Error.
01-20-2023 01:47 PM
I'm able to delete it from CAPF-Trust store as well. Earlier, I have stopped the Certificate Change Notification service as best practice before deleting any certificate. Not sure if that caused the issue. Later on we started back that service and deleted it from CAPF store. Thank you!
01-10-2023 09:41 AM
Im am running mixed mode and have a secure cluster. So your saying that I will need to renew this certificate even if I have LSC extended to all the phones?
01-10-2023 10:18 AM
No that is not what I wrote. The certificates that are used for verification of MIC on the devices are updated by Cisco. The certificates that is expiring are not used as they are replaced by other certificates. These gets installed during upgrades of the system.
01-31-2023 01:02 PM
Thank you for your knowledge Roger, it is much appreciated.
My system right now (12.5) is in non-secure mode, so I can delete these things, but in the near future I will have to jump up to mixed mode and activate all this joy. Are you aware of how cisco is planning to provide new Certificates for 12.5 or 14? would it be through an ES or SU?
Rob
02-06-2023 03:09 PM
You can refer to this post that has the same topic covered in some detail - https://community.cisco.com/t5/unified-communications-infrastructure/cucm-capf-certificate-question/td-p/4749655
If you have a large environment or difficulties understanding their dependency, I would advise reaching out to TAC.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide