cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
30583
Views
151
Helpful
54
Replies

CUCM CAP-RTP-001 and CAP-RTP-002

extremum
Level 1
Level 1

Hello ,

These tow certs CAP-RTP-001 and CAP-RTP-002 are installed the cucm as callmanager-trust and capf-trust , they will be expired in 2023 . How can we get new / valid certs .

Thanks.

1 Accepted Solution

Accepted Solutions

KevinS1
Level 1
Level 1

HI, I have removed the two CAP-RTP-001 & 002 certs from both the trust stores in two different CUCM clusters.  One cluster was not in mixed mode and the other cluster was in mixed mode yet not using LSC or the secure profiles in the phones ( just mixed mode enabled without secure phones).   

The impact was nothing.  I did restart the recommended services and I also rebooted the full cluster as it had not been rebooted in a very long time.  

TAC could not provide any documents to talk about the two MIC certs and how they would or would not impact the cluster however two different TAC cases both gave me the same recommendation to delete the certs as I was not using secure profiles on the phones. If I was using secure profiles on the phones then I needed to push/install the LSC as standard practice for the phones to register in a secure cluster with secure profiles... yet on those clusters I did not need the secure profiles or LSCs.    

I hope that helps anyone else looking for more details.   Just delete it and cross your figures then restart the services.... 

( this is the same thing I posted in the other forum about this topic... FYI I will complete the same process on a 3rd cluster tonight, the other two clusters have been running fine for a week after removing the certs.) See this forum post ->  https://community.cisco.com/t5/unified-communications-infrastructure/cucm-capf-certificate-question/m-p/4766053/highlight/true#M173569https://community.cisco.com/t5/unified-communications-infrastructure/cucm-capf-certificate-question/m-p/4766053#M173...

View solution in original post

54 Replies 54

Jaime Valencia
Cisco Employee
Cisco Employee

The topic of certificate renewal has been discussed many, many times before in threads and there is already existing documentation on the topic, have you reviewed any of those before posting?

HTH

java

if this helps, please rate

If you do not want to answer , keep quiet. Do not act like GOD

Kaboom!

Not helpful

Are you using the CAPF service, ie are your system ion Mixed-Mode? If the answer is No then you can simply disregard these. If you like to anyway renew them, to not have expired certificates in your system please have a look at this document that I wrote a few years ago. Cisco UC Certificates Renewal Guide 



Response Signature


Hello ,

CAPF is not activated . Basically  we do not want to store any expired cert. so these Cisco based trust certificates will be expired in 2023 , we can not regenerate them we can just upload new ones as  a -trust if needed . So we can delete them ..

The shared document outlines the steps that you need to follow to renew and remove the old once.



Response Signature


falling_d0wn
Level 1
Level 1

We are running into the same problem with the CAP-RTP certs expiring in 2023.  The first of which is 2/6 so there is some urgency in finding a solution.  There is very little information available on CAP-RTP specifically other than it is pre-installed and related to MIC.  It cannot be re-generated but you also also cannot directly replace it either. Only the CAPF certs can be regened/replaced.  I have opened two different TAC cases on this and got two different answers - one said I MUST deploy LSC on my phones to keep them working before CAP-RTP expires.  The 2nd case outcome was to do nothing. Just delete them because they are not needed.  Our cluster has the CAPF service activated but we are not in mixed mode and use non-secure profiles on all our devices.  Is anyone able to give a clear answer on this topic?  Can the CAP-RTP certs simply be deleted without causing issues with your devices? 

Thanks

Hi,

We deleted them and do not encounter any issue , we are not using any security features .

Thank you for the response.  Did you restart the callmanager and capf services after you deleted them from the cluster?

We did not restart any service especially for the certificate deletion , they are trusted cert. we just delete them  on the pub . (sub side auto deleted after you delete them on the pub ) . We periodically restarting our cluster and we do not receive any issue for now .

 

As i know that if you use MIC based authentication you should convert to LSC before delete these certs. But we are not using any sec. feature so simply deleted them

 

 

 

We are not using any security profiles on the phones.  The documentation is confusing though and suggests that MIC is used for basic phone registration regardless.  

I am working for a solution/suggestion/recommendation for this as well. There are several certificate renewal/regeneration documents floating around in addition to the security management guide. Not too much was said about CAP-RTP-001 and CAP-RTP-002 which are expiring on Feb 6, 2023!

Seriously we need to know what these two certificates are/were used for, and only Cisco can answer that question. I downloaded some MIC certificate from the ip phones, they were signed by "Cisco Manufacturing CA" with serial number "6a6967b3000000000003" which has an expiration date of  05/14/2029 (whew).

Will be much appreciated if anybody can share the experience to us.

Much thanks.