Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
26516
Views
149
Helpful
53
Replies

CUCM CAP-RTP-001 and CAP-RTP-002

Go to solution
extremum
Level 1
Level 1

‎11-28-2022 04:47 AM

Hello ,

These tow certs CAP-RTP-001 and CAP-RTP-002 are installed the cucm as callmanager-trust and capf-trust , they will be expired in 2023 . How can we get new / valid certs .

Thanks.

15 people had this problem
53 Replies 53

Go to solution
falling_d0wn
Level 1
Level 1

‎01-17-2023 06:20 AM

We have a small test cluster running 14 SU1.  It is in mixed mode with the CAPF service activated but is not using secure profiles for the phones or LSC trust.  I deleted CAP-RTP-001 and 002 from both Callmanager trust and CAPF trust (only found on the pub).  I then restarted the appropriate services.  The test phones continued to work.  I rebooted both the pub and sub (one at a time for good measure) and again, the phones continued to work.  I also verified that I could add new phones successfully.  

Go to solution
automatyck
Level 1
Level 1
In response to falling_d0wn

‎01-17-2023 09:21 AM

Good to hear it worked on your test cluster! I also did a full reboot of the publisher and subscribers (one at a time) after deleting the certificate.

0 Helpful

Go to solution
AbdulVaseemMohammed5593
Level 1
Level 1

‎01-20-2023 12:58 PM

I have deleted CAP-RTP-001 certificate from Callmanager-Trust but could not delete it from CAPF-Trust store. Received HTTP Status 404 Error.

0 Helpful

Go to solution
AbdulVaseemMohammed5593
Level 1
Level 1
In response to AbdulVaseemMohammed5593

‎01-20-2023 01:39 PM

I'm able to delete it from CAPF-Trust store as well. Earlier, I have stopped the Certificate Change Notification service as best practice before deleting any certificate. Not sure if that caused the issue. Later on we started back that service and deleted it from CAPF store. Thank you!

0 Helpful

Go to solution
Engnr
Level 1
Level 1

‎02-01-2023 06:50 AM

Hi guys,

I have CAPF expiring next week, should I be worried about anything? I am planning on deleting these at a later date following a system upgrade. I have both  Cisco CTL Provider and Cisco Certificate Authority Proxy Function services deactivated.

Thx

 

0 Helpful

Go to solution
er.sumansandeep1
Level 1
Level 1
In response to Engnr

‎02-01-2023 07:14 AM

Hallo,

I have updated UC Cluster yesterday and have deleted  CAP-RTP-001 and CAP-RTP-002 from  callmanager-trust and capf-trust . I was running cluster in mixed mode. Till now everything seems to be fine. I have downloaded the certificates from each Phone  and no certificate was signed from CAP-RTP-001 and CAP-RTP-002. With the Following Script , We can check signer of the Certificates instead of checking each Certificate manually. 

------------------------------------------------------------------------------------------------

#!/bin/bash

for i in *.cer
do
openssl x509 -noout -issuer -subject -dates -inform der -in $i
echo "----"
done

0 Helpful

Go to solution
Louiepatyk
Level 1
Level 1

‎02-03-2023 06:49 AM

I have a single cluster with 15,000 phones.  CAPF is not active and I am not running in Mixed mode.  TAC is telling me that I have to switch to LSC before RTP-001 expires on Monday.  Is this considered to be true?  Will this have any effect on my Gateways and Trunks?  

What will likely happen if I don't switch to LSC and just delete the RTP-001 cert?

0 Helpful

Go to solution
Roger Kallberg
VIP
VIP
In response to Louiepatyk

‎02-03-2023 07:42 AM

I don’t understand why they would want you to switch to LSC as your cluster is not in mixed mode? None of our clusters are in mixed mode and all we did was to delete the certificate. So far we have not seen any impact of this.



Response Signature


Go to solution
KevinS1
Level 1
Level 1

‎02-03-2023 08:09 AM - edited ‎02-21-2024 12:16 PM

HI, I have removed the two CAP-RTP-001 & 002 certs from both the trust stores in two different CUCM clusters.  One cluster was not in mixed mode and the other cluster was in mixed mode yet not using LSC or the secure profiles in the phones ( just mixed mode enabled without secure phones).   

The impact was nothing.  I did restart the recommended services and I also rebooted the full cluster as it had not been rebooted in a very long time.  

TAC could not provide any documents to talk about the two MIC certs and how they would or would not impact the cluster however two different TAC cases both gave me the same recommendation to delete the certs as I was not using secure profiles on the phones. If I was using secure profiles on the phones then I needed to push/install the LSC as standard practice for the phones to register in a secure cluster with secure profiles... yet on those clusters I did not need the secure profiles or LSCs.    

I hope that helps anyone else looking for more details.   Just delete it and cross your figures then restart the services.... 

( this is the same thing I posted in the other forum about this topic... FYI I will complete the same process on a 3rd cluster tonight, the other two clusters have been running fine for a week after removing the certs.) See this forum post ->  https://community.cisco.com/t5/unified-communications-infrastructure/cucm-capf-certificate-question/m-p/4766053/highlight/true#M173569https://community.cisco.com/t5/unified-communications-infrastructure/cucm-capf-certificate-question/m-p/4766053#M173...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents