Showing results for 
Search instead for 
Did you mean: 

Cucm Certificate issues

I am hoping someone who has the knowledge can help me out with this scenario. I have inherited a cucm 9 system with 6 virtual appliances. Cucm/Presence/Unity Pubs and Subs. While all functions are currently working I have well learning how to manage Cucm discovered that its certs are expired. I have researched how to correct this so i am aware of how to regenerate the certs, and to not do the call manager, and tvs certs at the same time. This is my game plan but I do have a few questions:

  1. power off all 6 appliances to take an offline snapshot in case something goes wrong, and then once they power up regenerate the ipsec certs so i can take a good drs backup as well before i do the other certs.

  2. then I will regenerate the other certs and leave the tvs/call manager certs for last, doing 1 of them at a time and bulk admin to reboot all phones in after each cert.

  3. regenerate the presence certs

  4. regenerate the unity certs

  5. once all certs are renewed and all applicable services are restarted I would take 1 more new DRS backup so it has all the new certs in it.

Does that plan sounds like it would work?

do i need to reboot all the phones 4 times in total for the cucm certs (twice for pub and twice for sub)?

are there any unity or presence certs i need to be wary of or do in a special order to avoid issues like the cucm call manager certs?

Thanks in advance.

Roger Kallberg
VIP Mentor

Please look at this document about certificate handling in CVOS systems. Cisco UC Certificates Renewal Guide 

Response Signature

That provides some useful steps so i thank you for that. beyond that though do i need to regen all the certs at the same time. ie can i do the ipsec first so i can get drs working and take a backup before doing the others? As this si version 9 and can't do the multiple san cert which certs do i need to manually transfer around for the trust certs?

You should regenerate one type of certificate at a time. Yes that’s correct, you’ll need to put the needed certificates into the trust store on the other nodes.

Response Signature

so pub certs onto the sub node, and then the sub certs onto the pub node?


Response Signature

perfect last question i think. when i regen a cert on the cucm pub and am waiting the 15 mins to do the sub node before moving onto the next cert, can i also start the first cert on presence or unity so hey also start the 15 min timer so to speak? Or is that tying to multi-task it too much?


also can i regen jsut the ipsec cert by itself to get drs working again. and then regen the other certs later once i build a plan to tackle them?

Not sure if I quite understand you. For what reason would you wait 15 minutes?

You can do parallel tasks on these as they are basically independent systems. The IMP is however tightly connected with CM, so when it comes to it I would recommend some caution. Especially for the Tomcat certificate.

Response Signature

the guide you linked early states to wait 15 mins between nodes when renewing each cert. i take that to mean for example if i renew the ipsec cert on the pub and restart the services i need ot wait 15 mins then go to the sub and renew the ipsec cert as well.


so would you recommend then that i finish all the cucm certs then do the IMP certs since they so interconnected? in which case i should be fine doing the unity certs at the same time as i do cucm? 


Also do all the certs need to be renewed in 1 shot when they are expired, or should i break it up into multiple days so it has more time to sync especially for call manager and tvs?


Snapshots are not supported by Cisco, I would make DRS back ups instead.


VMware snapshots are not supported in UC applications. Snapshots cause all types of latency and voice-quality issues. They also cause disk-drive space issues, CPU spikes, and memory utilization issues in UC applications.

When you troubleshoot any voice-quality or CPU/memory issues on a UC application that is supported on a VMware platform, the first thing to check is the presence of snapshots on the system.

the drs currently is not working correctly because of the cert. so I only want to not take a snapshot but do a full VM backup while they are powered off and not running (a cold backup) before starting so I have some form of restore point.

I think that you might mean a Clone, not a Snapshot. That’s okay and is supported.

Response Signature

i could clone the vm too, but in this case when powered off i would use Veeam to take a full backup of it.

Recognize Your Peers
Content for Community-Ad