Solved: Re: CUCM CAP-RTP-001 and CAP-RTP-002 - Page 4

extremum · ‎11-28-2022

Hello ,

These tow certs CAP-RTP-001 and CAP-RTP-002 are installed the cucm as callmanager-trust and capf-trust , they will be expired in 2023 . How can we get new / valid certs .

Thanks.

automatyck · ‎01-17-2023

Good to hear it worked on your test cluster! I also did a full reboot of the publisher and subscribers (one at a time) after deleting the certificate.

AbdulVaseemMohammed5593 · ‎01-20-2023

I have deleted CAP-RTP-001 certificate from Callmanager-Trust but could not delete it from CAPF-Trust store. Received HTTP Status 404 Error.

AbdulVaseemMohammed5593 · ‎01-20-2023

I'm able to delete it from CAPF-Trust store as well. Earlier, I have stopped the Certificate Change Notification service as best practice before deleting any certificate. Not sure if that caused the issue. Later on we started back that service and deleted it from CAPF store. Thank you!

Engnr · ‎02-01-2023

Hi guys,

I have CAPF expiring next week, should I be worried about anything? I am planning on deleting these at a later date following a system upgrade. I have both Cisco CTL Provider and Cisco Certificate Authority Proxy Function services deactivated.

Thx

er.sumansandeep1 · ‎02-01-2023

Hallo,

I have updated UC Cluster yesterday and have deleted CAP-RTP-001 and CAP-RTP-002 from callmanager-trust and capf-trust . I was running cluster in mixed mode. Till now everything seems to be fine. I have downloaded the certificates from each Phone and no certificate was signed from CAP-RTP-001 and CAP-RTP-002. With the Following Script , We can check signer of the Certificates instead of checking each Certificate manually.

------------------------------------------------------------------------------------------------

#!/bin/bash

for i in *.cer
do
openssl x509 -noout -issuer -subject -dates -inform der -in $i
echo "----"
done

Louiepatyk · ‎02-03-2023

I have a single cluster with 15,000 phones. CAPF is not active and I am not running in Mixed mode. TAC is telling me that I have to switch to LSC before RTP-001 expires on Monday. Is this considered to be true? Will this have any effect on my Gateways and Trunks?

What will likely happen if I don't switch to LSC and just delete the RTP-001 cert?

Roger Kallberg · ‎02-03-2023

I don’t understand why they would want you to switch to LSC as your cluster is not in mixed mode? None of our clusters are in mixed mode and all we did was to delete the certificate. So far we have not seen any impact of this.

KevinS1 · ‎02-03-2023

HI, I have removed the two CAP-RTP-001 & 002 certs from both the trust stores in two different CUCM clusters. One cluster was not in mixed mode and the other cluster was in mixed mode yet not using LSC or the secure profiles in the phones ( just mixed mode enabled without secure phones).

The impact was nothing. I did restart the recommended services and I also rebooted the full cluster as it had not been rebooted in a very long time.

TAC could not provide any documents to talk about the two MIC certs and how they would or would not impact the cluster however two different TAC cases both gave me the same recommendation to delete the certs as I was not using secure profiles on the phones. If I was using secure profiles on the phones then I needed to push/install the LSC as standard practice for the phones to register in a secure cluster with secure profiles... yet on those clusters I did not need the secure profiles or LSCs.

I hope that helps anyone else looking for more details. Just delete it and cross your figures then restart the services....

( this is the same thing I posted in the other forum about this topic... FYI I will complete the same process on a 3rd cluster tonight, the other two clusters have been running fine for a week after removing the certs.) See this forum post -> Re: CUCM CAP-RTP-001 and CAP-RTP-002