11-28-2022 04:47 AM
Hello ,
These tow certs CAP-RTP-001 and CAP-RTP-002 are installed the cucm as callmanager-trust and capf-trust , they will be expired in 2023 . How can we get new / valid certs .
Thanks.
Solved! Go to Solution.
02-03-2023 08:09 AM - edited 02-21-2024 12:16 PM
HI, I have removed the two CAP-RTP-001 & 002 certs from both the trust stores in two different CUCM clusters. One cluster was not in mixed mode and the other cluster was in mixed mode yet not using LSC or the secure profiles in the phones ( just mixed mode enabled without secure phones).
The impact was nothing. I did restart the recommended services and I also rebooted the full cluster as it had not been rebooted in a very long time.
TAC could not provide any documents to talk about the two MIC certs and how they would or would not impact the cluster however two different TAC cases both gave me the same recommendation to delete the certs as I was not using secure profiles on the phones. If I was using secure profiles on the phones then I needed to push/install the LSC as standard practice for the phones to register in a secure cluster with secure profiles... yet on those clusters I did not need the secure profiles or LSCs.
I hope that helps anyone else looking for more details. Just delete it and cross your figures then restart the services....
( this is the same thing I posted in the other forum about this topic... FYI I will complete the same process on a 3rd cluster tonight, the other two clusters have been running fine for a week after removing the certs.) See this forum post -> https://community.cisco.com/t5/unified-communications-infrastructure/cucm-capf-certificate-question/m-p/4766053/highlight/true#M173569https://community.cisco.com/t5/unified-communications-infrastructure/cucm-capf-certificate-question/m-p/4766053#M173...
11-28-2022 06:25 AM
The topic of certificate renewal has been discussed many, many times before in threads and there is already existing documentation on the topic, have you reviewed any of those before posting?
01-18-2023 09:39 PM
If you do not want to answer , keep quiet. Do not act like GOD
11-06-2024 07:40 AM
Kaboom!
09-21-2023 06:17 AM
Not helpful
11-28-2022 07:13 AM
Are you using the CAPF service, ie are your system ion Mixed-Mode? If the answer is No then you can simply disregard these. If you like to anyway renew them, to not have expired certificates in your system please have a look at this document that I wrote a few years ago. Cisco UC Certificates Renewal Guide
11-28-2022 07:58 AM
Hello ,
CAPF is not activated . Basically we do not want to store any expired cert. so these Cisco based trust certificates will be expired in 2023 , we can not regenerate them we can just upload new ones as a -trust if needed . So we can delete them ..
11-28-2022 08:59 AM
The shared document outlines the steps that you need to follow to renew and remove the old once.
01-06-2023 12:27 PM
We are running into the same problem with the CAP-RTP certs expiring in 2023. The first of which is 2/6 so there is some urgency in finding a solution. There is very little information available on CAP-RTP specifically other than it is pre-installed and related to MIC. It cannot be re-generated but you also also cannot directly replace it either. Only the CAPF certs can be regened/replaced. I have opened two different TAC cases on this and got two different answers - one said I MUST deploy LSC on my phones to keep them working before CAP-RTP expires. The 2nd case outcome was to do nothing. Just delete them because they are not needed. Our cluster has the CAPF service activated but we are not in mixed mode and use non-secure profiles on all our devices. Is anyone able to give a clear answer on this topic? Can the CAP-RTP certs simply be deleted without causing issues with your devices?
Thanks
01-06-2023 12:36 PM
Hi,
We deleted them and do not encounter any issue , we are not using any security features .
01-06-2023 12:42 PM
Thank you for the response. Did you restart the callmanager and capf services after you deleted them from the cluster?
01-06-2023 12:54 PM - edited 01-06-2023 01:00 PM
We did not restart any service especially for the certificate deletion , they are trusted cert. we just delete them on the pub . (sub side auto deleted after you delete them on the pub ) . We periodically restarting our cluster and we do not receive any issue for now .
01-06-2023 12:57 PM
As i know that if you use MIC based authentication you should convert to LSC before delete these certs. But we are not using any sec. feature so simply deleted them
01-06-2023 01:05 PM
We are not using any security profiles on the phones. The documentation is confusing though and suggests that MIC is used for basic phone registration regardless.
01-06-2023 09:03 PM
I am working for a solution/suggestion/recommendation for this as well. There are several certificate renewal/regeneration documents floating around in addition to the security management guide. Not too much was said about CAP-RTP-001 and CAP-RTP-002 which are expiring on Feb 6, 2023!
Seriously we need to know what these two certificates are/were used for, and only Cisco can answer that question. I downloaded some MIC certificate from the ip phones, they were signed by "Cisco Manufacturing CA" with serial number "6a6967b3000000000003" which has an expiration date of 05/14/2029 (whew).
Will be much appreciated if anybody can share the experience to us.
Much thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide