cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3047
Views
10
Helpful
8
Replies

CUCM Certificates Expiring

RL5901
Beginner
Beginner

RTMT for our CUCM cluster is sending alerts for ....

%UC_CERT-2-CertValidfor7days: %[Message=Certificate expiration Notification....

I've attached a list in case anyone needs to see (the names of the nodes have been changed). 

 

CUCM version 11.0

cucm1 is pub in a cluster with 4 subs. 

 

Cisco Unified CM Administration > System > Enterprise Parameters > Cluster Security Mode = 0

  • admin:show ctl
    Length of CTL file: 0
    CTL File not found. Please run CTLClient plugin or run the CLI - utils ctl.. to generate the CTL file.
    Error parsing the CTL File.

Cisco CTL Provider and Cisco Certificate Authority Proxy Function on the Publisher are currently active. 

 

I have been looking online for information but then came across conflicting directions and need confirmation.

  1. Regeneration of certificates must be done after hours as these tasks impact production
  2. Procedure
    1. Manually create a DRF backup
    2. Prepare Cluster for Rollback to pre 8.0 Feature
      1. For some reason, the previous admin left this set to True
    3. Stop TFTP service on Primary TFTP server
    4. Regenerate the following certificates via CLI in this order on the Primary TFTP server
      1. Regenerate CAPF via CLI: set cert regen CAPF
      2. Regenerate CallManager via CLI: set cert regen CallManager
      3. Regenerate Tomcat via CLI: set cert regen tomcat
      4. Regenerate TVS via CLI: set cert regen TVS
    5. Delete the following certificates via CLI in this order on the Primary TFTP server
      1. Delete CAPF-trust Certificates via CLI: set cert delete CAPF <name of certificate>.pem
      2. Delete CallManager-trust Certificates via CLI: set cert delete CallManager <name of certificate>.pem
      3. Delete ipsec-trust Certificates via CLI: set cert delete ipsec <name of certificate>.pem
      4. Delete Tomcat-trust Certificates via CLI: set cert delete tomcat <name of certificate>.pem
      5. Delete TVS-trust Certificates via CLI: set cert delete TVS <name of certificate>.pem
    6. Reset all phones in the cluster
    7. Start the TFTP service on the Primary TFTP server
    8. Repeat the Regenerate and Delete steps from 2 and 3 above for all certificates (CAPF, CallManager, Tomcat, TVS)
    9. Reset all phones in the cluster (2nd time)
    10. Restart the TFTP service on the Secondary TFTP server
    11. Repeat these steps for the remaining servers in the cluster running the TFTP service (3, 4, & 5)
    12. Restart the following services on all nodes in the cluster (unless indicated below), starting with the Publisher...
      1. Tomcat (CLI: utils service restart Cisco Tomcat)
      2. Cisco CallManager (WebGUI: Cisco Unified Serviceability > Tools > Control Center - Feature Services > (Select Server). Under Cisco CallManager, click Restart)
      3. CTI Manager (WebGUI: Cisco Unified Serviceability > Tools > Control Center - Feature Services > (Select Server). Under Cisco CTIManager, click Restart)
      4. CAPF on Publisher ONLY (WebGUI: Cisco Unified Serviceability > Tools > Control Center - Feature Services > (Select Server). Under Cisco Certificate Authority Proxy Function, click Restart)
      5. Trust Verification Service (a.k.a, TVS) (WebGUI: Cisco Unified Serviceability > Tools > Control Center - Network Services > (Select Server). Under Cisco Trust Verification Service, click Restart)
      6. Cisco DRF Local (on all nodes) (CLI: utils service restart Cisco DRF Local
      7. Cisco DRF Master (Publisher ONLY) (CLI: utils service restart Cisco DRF Master)

Am I missing anything or is anything out of order? 

2 Accepted Solutions

Accepted Solutions