cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3508
Views
10
Helpful
8
Replies

CUCM Certificates Expiring

RL5901
Level 1
Level 1

RTMT for our CUCM cluster is sending alerts for ....

%UC_CERT-2-CertValidfor7days: %[Message=Certificate expiration Notification....

I've attached a list in case anyone needs to see (the names of the nodes have been changed). 

 

CUCM version 11.0

cucm1 is pub in a cluster with 4 subs. 

 

Cisco Unified CM Administration > System > Enterprise Parameters > Cluster Security Mode = 0

  • admin:show ctl
    Length of CTL file: 0
    CTL File not found. Please run CTLClient plugin or run the CLI - utils ctl.. to generate the CTL file.
    Error parsing the CTL File.

Cisco CTL Provider and Cisco Certificate Authority Proxy Function on the Publisher are currently active. 

 

I have been looking online for information but then came across conflicting directions and need confirmation.

  1. Regeneration of certificates must be done after hours as these tasks impact production
  2. Procedure
    1. Manually create a DRF backup
    2. Prepare Cluster for Rollback to pre 8.0 Feature
      1. For some reason, the previous admin left this set to True
    3. Stop TFTP service on Primary TFTP server
    4. Regenerate the following certificates via CLI in this order on the Primary TFTP server
      1. Regenerate CAPF via CLI: set cert regen CAPF
      2. Regenerate CallManager via CLI: set cert regen CallManager
      3. Regenerate Tomcat via CLI: set cert regen tomcat
      4. Regenerate TVS via CLI: set cert regen TVS
    5. Delete the following certificates via CLI in this order on the Primary TFTP server
      1. Delete CAPF-trust Certificates via CLI: set cert delete CAPF <name of certificate>.pem
      2. Delete CallManager-trust Certificates via CLI: set cert delete CallManager <name of certificate>.pem
      3. Delete ipsec-trust Certificates via CLI: set cert delete ipsec <name of certificate>.pem
      4. Delete Tomcat-trust Certificates via CLI: set cert delete tomcat <name of certificate>.pem
      5. Delete TVS-trust Certificates via CLI: set cert delete TVS <name of certificate>.pem
    6. Reset all phones in the cluster
    7. Start the TFTP service on the Primary TFTP server
    8. Repeat the Regenerate and Delete steps from 2 and 3 above for all certificates (CAPF, CallManager, Tomcat, TVS)
    9. Reset all phones in the cluster (2nd time)
    10. Restart the TFTP service on the Secondary TFTP server
    11. Repeat these steps for the remaining servers in the cluster running the TFTP service (3, 4, & 5)
    12. Restart the following services on all nodes in the cluster (unless indicated below), starting with the Publisher...
      1. Tomcat (CLI: utils service restart Cisco Tomcat)
      2. Cisco CallManager (WebGUI: Cisco Unified Serviceability > Tools > Control Center - Feature Services > (Select Server). Under Cisco CallManager, click Restart)
      3. CTI Manager (WebGUI: Cisco Unified Serviceability > Tools > Control Center - Feature Services > (Select Server). Under Cisco CTIManager, click Restart)
      4. CAPF on Publisher ONLY (WebGUI: Cisco Unified Serviceability > Tools > Control Center - Feature Services > (Select Server). Under Cisco Certificate Authority Proxy Function, click Restart)
      5. Trust Verification Service (a.k.a, TVS) (WebGUI: Cisco Unified Serviceability > Tools > Control Center - Network Services > (Select Server). Under Cisco Trust Verification Service, click Restart)
      6. Cisco DRF Local (on all nodes) (CLI: utils service restart Cisco DRF Local
      7. Cisco DRF Master (Publisher ONLY) (CLI: utils service restart Cisco DRF Master)

Am I missing anything or is anything out of order? 

2 Accepted Solutions

Accepted Solutions

As @Adam Pawlowski pointed out if you don’t use Mixed mode you can disregard the parts about CTL certificates. However these would still be generating alerts, so recommend you to renew and remove the old once as if memory serves me they are not removed automatically.

For any other certificates please have a look at this document that I wrote awhile ago that covers certificate handling in Cisco UC systems. Cisco UC Certificates Renewal Guide 



Response Signature


View solution in original post

8 Replies 8

Adam Pawlowski
VIP Alumni
VIP Alumni

Generically , you need to review what services are configured or are running , and what certificates are going to expire.

 

If you’re not in mixed mode or using a CTL you don’t have to play with it. 

The rollback parameter to me says your infrastructure is broken or the prior admin did not understand security by default , and wasn’t sure what order to process certificates in . 

I’m on mobile and can’t review too closely, but no those steps sound incorrect . There is no need to stop TFTP or delete the trust certificates in my experience . Grab the security guide for your version of the UCM and review it’s guidance . Perhaps you can then repair SBD and trust lists to improve cluster security. 

Adam Pawlowski, if I could ask him why he set "Prepare Cluster for Rollback to pre 8.0 Feature" to True, I would. It was a surprise to me when I came across it. However, I won't be changing any of it until we upgrade and get back under support, just in case there was a real reason it was set this way. 

When security by default became a thing, it introduced a trust requirement, that phones would have to pick up on new trust lists and be able to verify them with signatures they had, or trust verification service (which itself must be in the trust list). It introduces the ability to cause trouble with the phones if too many things change at once, without the phones being reset to pick up on them. It also means that a phone which is off the system for long enough is connected, it may have to have the trust list erased.

 

This can manifest itself in a few ways, where a phone's directories stop updating, configuration changes don't apply, or the user may notice they can't select ringers or wallpapers. You could end up in a boat where you'd have to go to the devices and clear the trust list manually, which could be a real pain. UnifiedFX markets a tool that helps you back out of that problem should you find yourself in it. You can also cook up something yourself to do this with the embedded URIs on the phone's webserver to control it.

 

I can understand the apprehension of such a feature, and why someone may want to set it for fear of breaking things, or perhaps someone deemed a site visit to a phone for repair unacceptable.

 

Once you go through this process, hopefully you will find that it really isn't all that complicated, and the certificate guide will alert  you to actions which may require a CTL to be regenerated, phones to be reset, etc. Largely for me the best thing I can think of is that after reading it, it made it clear that I'd want to do this over a period of time to account for devices which aren't connected presently, and reduce the duration of service disruptions while restarting services.

 

 


@Adam Pawlowski wrote:

...

I can understand the apprehension of such a feature, and why someone may want to set it for fear of breaking things, or perhaps someone deemed a site visit to a phone for repair unacceptable....

 

 


[lightbulb!] This makes sense! We have about 15 sites and the PC techs at the sites are uncomfortable with troubleshooting phones. If this was a problem in the past then the previous admin might have configured that setting to avoid having to travel out to 15 sites to fix phones. 

As @Adam Pawlowski pointed out if you don’t use Mixed mode you can disregard the parts about CTL certificates. However these would still be generating alerts, so recommend you to renew and remove the old once as if memory serves me they are not removed automatically.

For any other certificates please have a look at this document that I wrote awhile ago that covers certificate handling in Cisco UC systems. Cisco UC Certificates Renewal Guide 



Response Signature


That's a better document than the Cisco webpage I found. Thank you. 

 

 

Your very welcome. It's mostly based on general available document sources, but also incorporate some hard learned facts from real life experience. Glad you found it useful. ':-)'



Response Signature


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: