Thanks Deepak,

The Enterprise Parameters shows that the Cluster Secuirty Mode is set to 0 which menas we are not using Mixed-Mode. So, all we need to do is to go in each CUCM server, search for Certificate name:CAPF-e305ffe5.der file (expired one), delete it and regenerate a new CAPF cert and restart the CAPF service. Is that right?

Thanks,

MK

Yes , your understading it correct.

One more thing which you will want to ensure the CAPF certificate from each node is uploaded as a CAPF-trust to the other nodes.

@Deepak Mehta : That is not needed, once CAPF is regenerated the same is also changed on all the corresponding servers within the cluster as the type CAPF-Trust on its own.

@MK: Once you have regenerated the CAPF certificate on the required servers, just open the PEM file for it and note down the Serial Number. Then open the CAPF-trust certificate PEM and you will find the Serial Number will/should match what you have for the CAPF. This will happen for all the servers in cluster automatically. In some cases, if the serial number does not match then only you will need to upload the CAPF certificate on the servers as type CAPF-Trust.

Regards

Deepak

Perfect Rawat,

Thank you both.

MK

One more question:

I just deleted the expired CAPF cert and generated one in the Publisher but don't seem to be able to find it. I would like to see if the certificate is uploaded to the other servers. How can I locate the one I just  created. If not, can I gererate another one?

Thanks,

MK

Since you have deleted the CAPF completely instead of regenerating it. Now you will need to manually upload it first as CAPF and it should subsequently update the CAPF-Trust on its own then. You should be able to see a Download button simply use it and save the CAPF file on your Desktop. After this simply upload it back as CAPF and the CAPF-trust should automatically generate.

For other servers, simply regenerate the CAPF and do not delete it completely. What you will only need to delete it CAPF-trust certificate for the expired entry i.e., CAPF-e305ffe5.pem

Regards

Deepak

Deepak,

The version we are at is 8.6.  I deleted CAPF-e305ffe5.pem in the Publisher and generated and new CAPF cert. I was able to find the file I gererated but it shows as Self-signed certificate generated by system while the other ones show as Trust Certificate. Did I select a wrong option?

Please see the file in attachment.

Thanks,

MK

CAPF certificate will show up as Self-signed certificate generated by system only. Not only that but even Call Manager, IPSec etc will also show that only since they are server/root certicates. Only the certificates which are of type Tomcat-Trust, Call Manager trust will show Trust Certificate

Hence what you have done is absolutely correct. Also attaching a SS from my lab server just to make this thing clear. Though it is for v11 but should hold good for 8.6 as well.

Regards

Deepak

Thanks Guys,

One last question;

The certs have been expired since March 25th. Would that cause service interruption if we wait until next weekend? Unfortunately, we are not going to be able to Schedule any maintenence Windows before next Friday. It looks like the alert shows the cert is valid only for 7 days.

SeverityMatch : Critical

MatchedEvent : Apr 28 20:00:05 SCCM50001P local7 2 : 178: XXXXXXX: Apr 29 2016 00:00:05.890 UTC : %UC_CERT-2-CertValidfor7days: %[Message=Certificate expiration Notification. Certificate name:CAPF-e305ffe5.der Unit:CallManager-trust Type:own-cert Expiration:Fri Mar 2][AppID=Cisco Certificate Monitor][ClusterID=][NodeID=XXXXXXX]: Alarm to indicate that Certificate has Expired or Expires in less than seven days AppID : Cisco Syslog Agent ClusterID

Thanks,

MK

I did not obeserve any impact in my setup however for new phones and in case phone is reset you might see the impact as LSC certificates are tied to CTL files .

You can refer to this.

http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/200199-CUCM-Certificate-Regeneration-Renewal-Pr.html

Service Impact by the Certificate Store

It is critical for good functionality of the system to have all certificates updated across the CUCM cluster. If your certificates are expired or invalid they might significantly affect normal functionality of the system. A list of potential issues you might have when any of the specific certificates is invalid or expired is shown here. The impact might differ dependent upon your system setup.

CAPF.pem

• Phones do not authenticate for Phone VPN, 802.1x, or Phone Proxy. 
• Cannot issue LSC certificates for the phones.
• Encrypted configuration files do not work.

Perfect,

Thanks,

MK

Hi Again,

Are the certificats version dependant? We are upgrading to verions 10.5 in about 3 weeks.  Do we need to install the certificates now? can we wait unitl June 1st? Please note that we are using No Secure Mode.

Thanks,

MK

I think it should be good.Just check and make sure serial numbers are matching .

Also check on other nodes if the same serial number shows for CAPF-Trust cert for this node.
Just pasting a screenshot from my LAB showing two ,one as self signed and another one as CAPF-Trust and serial number is same.

May be Rawat can confirm on it..