Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
30127
Views
151
Helpful
54
Replies

CUCM CAP-RTP-001 and CAP-RTP-002

Go to solution
extremum
Level 1
Level 1

‎11-28-2022 04:47 AM

Hello ,

These tow certs CAP-RTP-001 and CAP-RTP-002 are installed the cucm as callmanager-trust and capf-trust , they will be expired in 2023 . How can we get new / valid certs .

Thanks.

15 people had this problem
54 Replies 54

Go to solution
Meraj Ali
Cisco Employee
Cisco Employee
In response to BenBen

‎02-06-2023 03:09 PM

You can refer to this post that has the same topic covered in some detail - https://community.cisco.com/t5/unified-communications-infrastructure/cucm-capf-certificate-question/td-p/4749655

If you have a large environment or difficulties understanding their dependency, I would advise reaching out to TAC.

0 Helpful

Go to solution
anthony.smith
Level 1
Level 1

‎01-10-2023 01:40 PM

The attached image is what we're seeing in our CUCM 12.5 system. So, it looks like we can delete CAP-RTP-001 which will be replaced by CAP-RTP-002.

Preview file
101 KB
0 Helpful

Go to solution
Roger Kallberg
VIP
VIP
In response to anthony.smith

‎01-10-2023 09:57 PM

There are likely more certificates present with that description if you change the filter criteria. Quite likely both of these are replaced with other certificates as one is expiring in a few days and the other in a few months.



Response Signature


0 Helpful

Go to solution
KevinS1
Level 1
Level 1

‎01-11-2023 07:34 PM

We have the same issue reported here and have a TAC case open, sadly TAC seems to not know anything about this issue.  If we needed to upgrade from 12.5.1 version we are running I would think TAC would be telling us that. Not saying the upgrade path is incorrect, I am just saying we would like official word from Cisco as to what steps to take.  planning a version upgrade in less than 30 days is a big ask for our company.  -1 for Cisco TAC on these certs.... I guess I will requeue my tac case.    

0 Helpful

Go to solution
KevinS1
Level 1
Level 1
In response to KevinS1

‎01-12-2023 07:10 AM

TAC seems to not know what you guys are talking about as far as the RTP certs being replaced or updated by a CUCM upgrade. below is what they told me, sadly I don't trust this process TAC is recommending.  

  1. what is the process to replace these trust certificates? These are NOT CAPF certs see below be clear these are in the trust store for MIC certs and we need to know what we are to do to replace them?
    • These certs can’t be renewed / replaced. Once expired you won’t be able to authenticate your phones using MIC.
  2. What is the impact if they expire? How will Cisco provide updated certs to replace the CAP-RTP certs?
    • Once expired. The workaround is to configure LSC on your phones for the authentication.
0 Helpful

Go to solution
Roger Kallberg
VIP
VIP
In response to KevinS1

‎01-12-2023 07:44 AM - edited ‎01-12-2023 07:50 AM

These are all the certificates that we have present in the system that is used for validating the MIC. We have not added any of these manually, they all came during various upgrades of the CM. The list is from a 12.5SU5 installation.

CallManager-trust Cisco_Root_CA_2048_5ff87b282b54dc8d42a315b568c9adff Self-signed RSA Cisco_Root_CA_2048 Cisco_Root_CA_2048 05/14/2029 This certificate was used to sign the MIC installed on Cisco endpoint. Presence of this certificate allows the end point to communicate securely with UCM using the MIC when associated with a secure profile.
CallManager-trust Cisco_Manufacturing_CA_III_04302a0b364ce2da93 CA-signed RSA Cisco_Manufacturing_CA_III Cisco_Basic_Assurance_Root_CA_2099 05/26/2099 This certificate was used to sign the MIC installed on Cisco endpoint. Presence of this certificate allows the end point to communicate securely with UCM using the MIC when associated with a secure profile.
CallManager-trust ACT2_SUDI_CA_61096e7d00000000000c CA-signed RSA ACT2_SUDI_CA Cisco_Root_CA_2048 05/14/2029 This certificate was used to sign the MIC installed on Cisco endpoint. Presence of this certificate allows the end point to communicate securely with UCM using the MIC when associated with a secure profile.
CallManager-trust Cisco_Root_CA_M2_01 Self-signed RSA Cisco_Root_CA_M2 Cisco_Root_CA_M2 11/12/2037 This certificate was used to sign the MIC installed on Cisco endpoint. Presence of this certificate allows the end point to communicate securely with UCM using the MIC when associated with a secure profile.
CallManager-trust Cisco_Manufacturing_CA_6a6967b3000000000003 CA-signed RSA Cisco_Manufacturing_CA Cisco_Root_CA_2048 05/14/2029 This certificate was used to sign the MIC installed on Cisco endpoint. Presence of this certificate allows the end point to communicate securely with UCM using the MIC when associated with a secure profile.
CallManager-trust Cisco_Basic_Assurance_Root_CA_2099_01a65af15ee994ebe1 Self-signed RSA Cisco_Basic_Assurance_Root_CA_2099 Cisco_Basic_Assurance_Root_CA_2099 05/26/2099 This certificate was used to sign the MIC installed on Cisco endpoint. Presence of this certificate allows the end point to communicate securely with UCM using the MIC when associated with a secure profile.
CallManager-trust High_Assurance_SUDI_CA_0a6475524cd8617c62 CA-signed RSA High_Assurance_SUDI_CA Cisco_Root_CA_2099 08/09/2099 This certificate was used to sign the MIC installed on Cisco endpoint. Presence of this certificate allows the end point to communicate securely with UCM using the MIC when associated with a secure profile.
CallManager-trust Cisco_Manufacturing_CA_SHA2_02 CA-signed RSA Cisco_Manufacturing_CA_SHA2 Cisco_Root_CA_M2 11/12/2037 This certificate was used to sign the MIC installed on Cisco endpoint. Presence of this certificate allows the end point to communicate securely with UCM using the MIC when associated with a secure profile.
CallManager-trust Cisco_Root_CA_2099_019a335878ce16c1c1 Self-signed RSA Cisco_Root_CA_2099 Cisco_Root_CA_2099 08/09/2099 This certificate was used to sign the MIC installed on Cisco endpoint. Presence of this certificate allows the end point to communicate securely with UCM using the MIC when associated with a secure profile.
CAPF-trust Cisco_Root_CA_2048_5ff87b282b54dc8d42a315b568c9adff Self-signed RSA Cisco_Root_CA_2048 Cisco_Root_CA_2048 05/14/2029 This certificate was used to sign the MIC installed on Cisco endpoint. Presence of this certificate allows the end point to communicate securely with UCM using the MIC when associated with a secure profile.
CAPF-trust Cisco_Manufacturing_CA_III_04302a0b364ce2da93 CA-signed RSA Cisco_Manufacturing_CA_III Cisco_Basic_Assurance_Root_CA_2099 05/26/2099 This certificate was used to sign the MIC installed on Cisco endpoint. Presence of this certificate allows the end point to communicate securely with UCM using the MIC when associated with a secure profile.
CAPF-trust ACT2_SUDI_CA_61096e7d00000000000c CA-signed RSA ACT2_SUDI_CA Cisco_Root_CA_2048 05/14/2029 This certificate was used to sign the MIC installed on Cisco endpoint. Presence of this certificate allows the end point to communicate securely with UCM using the MIC when associated with a secure profile.
CAPF-trust Cisco_Root_CA_M2_01 Self-signed RSA Cisco_Root_CA_M2 Cisco_Root_CA_M2 11/12/2037 This certificate was used to sign the MIC installed on Cisco endpoint. Presence of this certificate allows the end point to communicate securely with UCM using the MIC when associated with a secure profile.
CAPF-trust Cisco_Manufacturing_CA_6a6967b3000000000003 CA-signed RSA Cisco_Manufacturing_CA Cisco_Root_CA_2048 05/14/2029 This certificate was used to sign the MIC installed on Cisco endpoint. Presence of this certificate allows the end point to communicate securely with UCM using the MIC when associated with a secure profile.
CAPF-trust Cisco_Basic_Assurance_Root_CA_2099_01a65af15ee994ebe1 Self-signed RSA Cisco_Basic_Assurance_Root_CA_2099 Cisco_Basic_Assurance_Root_CA_2099 05/26/2099 This certificate was used to sign the MIC installed on Cisco endpoint. Presence of this certificate allows the end point to communicate securely with UCM using the MIC when associated with a secure profile.
CAPF-trust High_Assurance_SUDI_CA_0a6475524cd8617c62 CA-signed RSA High_Assurance_SUDI_CA Cisco_Root_CA_2099 08/09/2099 This certificate was used to sign the MIC installed on Cisco endpoint. Presence of this certificate allows the end point to communicate securely with UCM using the MIC when associated with a secure profile.
CAPF-trust Cisco_Manufacturing_CA_SHA2_02 CA-signed RSA Cisco_Manufacturing_CA_SHA2 Cisco_Root_CA_M2 11/12/2037 This certificate was used to sign the MIC installed on Cisco endpoint. Presence of this certificate allows the end point to communicate securely with UCM using the MIC when associated with a secure profile.
CAPF-trust Cisco_Root_CA_2099_019a335878ce16c1c1 Self-signed RSA

Cisco_Root_CA_2099

 Cisco_Root_CA_2099 08/09/2099 This certificate was used to sign the MIC installed on Cisco endpoint. Presence of this certificate allows the end point to communicate securely with UCM using the MIC when associated with a secure profile.


Response Signature


0 Helpful

Go to solution
extremum
Level 1
Level 1
In response to Roger Kallberg

‎01-12-2023 07:48 AM

Hi Roger , which version is this ? i could not see CAP certs.  are they already deleted ?

Go to solution
KevinS1
Level 1
Level 1
In response to Roger Kallberg

‎01-12-2023 07:49 AM

what version are you running that supplied a resolution to this issue?

 

0 Helpful

Go to solution
Roger Kallberg
VIP
VIP
In response to KevinS1

‎01-12-2023 10:05 AM

I updated my response with this.



Response Signature


0 Helpful

Go to solution
veronique8789
Level 1
Level 1

‎01-12-2023 07:39 AM

You are right, TAC just gave me the same answer

0 Helpful

Go to solution
KevinS1
Level 1
Level 1

‎01-12-2023 07:50 AM

This seems like Cisco did not prepare for their own certs to expire or the TAC agents do not know how to address this issue. we should not be forced to install LSC on phones just to have them register, if I am understanding the outcome correctly. I have requested a webex session to review this issue as I do not think we are addressing the issue here.  people in this forum say the certs are replace via a version upgrade yet I have 3 clusters on different versions and they all have the same expire dates!   I would love to know what version of CUCM would resolve this issue, and why would TAC not know about this version upgrade to resolve the issue?

0 Helpful

Go to solution
Roger Kallberg
VIP
VIP
In response to KevinS1

‎01-13-2023 11:43 PM

I don’t know for others, but I’m actually not saying that these specific are updated by a version upgrade. What I try to get across is that MIC validation certificates are updated by a version upgrade, that does not mean that these specific certificates are the once being updated. By looking at what is current for MIC validation certificates my understanding is that version upgrades puts in other certificates that are to be used for this.



Response Signature


Go to solution
automatyck
Level 1
Level 1

‎01-13-2023 04:10 PM

In case it helps anyone else who finds this thread, I had similar questions about the CAP-RTP-001 and CAP-RTP-002 certificates that expire in 2023.

Our CUCM cluster is version 14.0.1.11900-132. We have the CAPF service activated but the cluster is not in Mixed Mode.  I deleted the expiring CAP-RTP-001 cert from our CallManager-trust and CAPF-trust and it did not cause any problems. The phones continued to be able to register to CUCM after the certificate was deleted.

I plan to delete the CAP-RTP-002 certificate before it expires as well.

Go to solution
anthony.smith
Level 1
Level 1
In response to automatyck

‎01-13-2023 05:49 PM

Do you have valid LSC certificates on your phones?

0 Helpful

Go to solution
automatyck
Level 1
Level 1
In response to anthony.smith

‎01-16-2023 01:46 PM

No, we do not have an LSC installed on our phones.

0 Helpful
Customers Also Viewed These Support Documents