Solved: CUCM CAPF IS NOT WORKING

Canisio Barth Junior · ‎06-27-2013

a) I have two Callmanager (publisher and subscriber) and they are configured mixed-mode. I checked that the CAPF.pem in the subscriber was issued after the CTL file ( the publisher was before), maybe someone regenerate the CAPF.pem in the subscriber and does not rerun the CTL Client. The question is: If I regenerate CAPF in the publisher and the rerun the CTLClient, the new CAPF certificate will be installed in the publisher and subscriber ? This certificate should be identical int the both servers?

b) Due the CAPF.pem in the publisher and subscriber are different, the CAPF can not works fine? I tried install LSC but it is not working, in the 9971 phones status messages show "No valid CAPF server" .

c) For 7940 phones, if i just regenerate CAPF and rerun ctl client (not change TFTP adrress) will not be necessary delete manually the ctl file?

d) I also checked that the itl file does not has a entry for CAPF. It could impact the CAPF functionality?

Thanks

Carlos

Jonathan Schulenberg · ‎07-10-2013

a) Pay attention to the trust stores here. The only server that will actually have the CAPF certificate is the publisher as it's the only node that runs this service. You should see the CAPF certificate in the callmanager-trust store of all nodes in the cluster though (i.e. certificates issued - the LSC - by CAPF are trusted by that node). If the *current* CAPF certificate is absent from the trust store of the subscriber you will have problems. It is not an issue if previous CAPF certificates are also in the trust store though. All that means is that certificates signed by a previous CAPF certificate will also be trusted. You can only remove a certificate from the trust store once all the ceritificates it issued have been replaced.

b) The CAPF in use on the publisher must be in the CTL of the phones. If it isn't, certificate enrollment will fail.

c) The CTL file will automatically be downloaded and accepted by the phones as long as the token you sign the CTL file with was listed in the version of the CTL file the phone currently has installed.

d) No

Please remember to rate helpful responses and identify helpful or correct answers.

View solution in original post

Jonathan Schulenberg · ‎07-10-2013

a) Pay attention to the trust stores here. The only server that will actually have the CAPF certificate is the publisher as it's the only node that runs this service. You should see the CAPF certificate in the callmanager-trust store of all nodes in the cluster though (i.e. certificates issued - the LSC - by CAPF are trusted by that node). If the *current* CAPF certificate is absent from the trust store of the subscriber you will have problems. It is not an issue if previous CAPF certificates are also in the trust store though. All that means is that certificates signed by a previous CAPF certificate will also be trusted. You can only remove a certificate from the trust store once all the ceritificates it issued have been replaced.

b) The CAPF in use on the publisher must be in the CTL of the phones. If it isn't, certificate enrollment will fail.

c) The CTL file will automatically be downloaded and accepted by the phones as long as the token you sign the CTL file with was listed in the version of the CTL file the phone currently has installed.

d) No

Please remember to rate helpful responses and identify helpful or correct answers.