cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
30122
Views
151
Helpful
54
Replies

CUCM CAP-RTP-001 and CAP-RTP-002

extremum
Level 1
Level 1

Hello ,

These tow certs CAP-RTP-001 and CAP-RTP-002 are installed the cucm as callmanager-trust and capf-trust , they will be expired in 2023 . How can we get new / valid certs .

Thanks.

54 Replies 54

Did you restart the callmanager and capf trust service on the servers in the cluster after deleting these?

falling_d0wn
Level 1
Level 1

We have a small test cluster running 14 SU1.  It is in mixed mode with the CAPF service activated but is not using secure profiles for the phones or LSC trust.  I deleted CAP-RTP-001 and 002 from both Callmanager trust and CAPF trust (only found on the pub).  I then restarted the appropriate services.  The test phones continued to work.  I rebooted both the pub and sub (one at a time for good measure) and again, the phones continued to work.  I also verified that I could add new phones successfully.  

Good to hear it worked on your test cluster! I also did a full reboot of the publisher and subscribers (one at a time) after deleting the certificate.

I have deleted CAP-RTP-001 certificate from Callmanager-Trust but could not delete it from CAPF-Trust store. Received HTTP Status 404 Error.

I'm able to delete it from CAPF-Trust store as well. Earlier, I have stopped the Certificate Change Notification service as best practice before deleting any certificate. Not sure if that caused the issue. Later on we started back that service and deleted it from CAPF store. Thank you!

Engnr
Level 1
Level 1

Hi guys,

I have CAPF expiring next week, should I be worried about anything? I am planning on deleting these at a later date following a system upgrade. I have both  Cisco CTL Provider and Cisco Certificate Authority Proxy Function services deactivated.

Thx

 

Hallo,

I have updated UC Cluster yesterday and have deleted  CAP-RTP-001 and CAP-RTP-002 from  callmanager-trust and capf-trust . I was running cluster in mixed mode. Till now everything seems to be fine. I have downloaded the certificates from each Phone  and no certificate was signed from CAP-RTP-001 and CAP-RTP-002. With the Following Script , We can check signer of the Certificates instead of checking each Certificate manually. 

------------------------------------------------------------------------------------------------

#!/bin/bash

for i in *.cer
do
openssl x509 -noout -issuer -subject -dates -inform der -in $i
echo "----"
done

Louiepatyk
Level 1
Level 1

I have a single cluster with 15,000 phones.  CAPF is not active and I am not running in Mixed mode.  TAC is telling me that I have to switch to LSC before RTP-001 expires on Monday.  Is this considered to be true?  Will this have any effect on my Gateways and Trunks?  

What will likely happen if I don't switch to LSC and just delete the RTP-001 cert?

I don’t understand why they would want you to switch to LSC as your cluster is not in mixed mode? None of our clusters are in mixed mode and all we did was to delete the certificate. So far we have not seen any impact of this.



Response Signature


KevinS1
Level 1
Level 1

HI, I have removed the two CAP-RTP-001 & 002 certs from both the trust stores in two different CUCM clusters.  One cluster was not in mixed mode and the other cluster was in mixed mode yet not using LSC or the secure profiles in the phones ( just mixed mode enabled without secure phones).   

The impact was nothing.  I did restart the recommended services and I also rebooted the full cluster as it had not been rebooted in a very long time.  

TAC could not provide any documents to talk about the two MIC certs and how they would or would not impact the cluster however two different TAC cases both gave me the same recommendation to delete the certs as I was not using secure profiles on the phones. If I was using secure profiles on the phones then I needed to push/install the LSC as standard practice for the phones to register in a secure cluster with secure profiles... yet on those clusters I did not need the secure profiles or LSCs.    

I hope that helps anyone else looking for more details.   Just delete it and cross your figures then restart the services.... 

( this is the same thing I posted in the other forum about this topic... FYI I will complete the same process on a 3rd cluster tonight, the other two clusters have been running fine for a week after removing the certs.) See this forum post ->  https://community.cisco.com/t5/unified-communications-infrastructure/cucm-capf-certificate-question/m-p/4766053/highlight/true#M173569https://community.cisco.com/t5/unified-communications-infrastructure/cucm-capf-certificate-question/m-p/4766053#M173...