We have a CUCM cluster 6.1.2 and we have lost the tokens we used to create CTL
The problem is that our certificates has expired and there is no way to renew them without the security tokens
Moreover, I have manually regenerated CallManager.pem certificate, and apparently it has resigned all configuration files (correct me if I am wrong) and now some of the phones do not accept these configuration files with this error:
877: xxx 17:30:28.895819 SECD: EROR:verifyFile: sgn verify file failed </usr/ram/SEPB4A4E329D635.cnf.xml>, errclass 8, errcode 19 (signer not in CTL)
and register on the subscriber (dont know why).
Some of the phones are not able to register (rejected) with Security Mode set to Non secure, and I need to configure them with LCS, but looks like if I hard reset the phone, the CTL file on the phone will change and it will not accept the configuration file
Is there any way to disable this functionality and change the cluster mode from mixed to non-secure or somehow "unsign" the configuration files so the phones could take it?
Thank you in advance
Solved! Go to Solution.
The config files are generated dynamically each time a phone requests them. They are not saved on the system. After the CTL is deleted from a phone and it doesn't get a new CTL from CUCM, it will start requesting unsigned config files (SEP*.cnf.xml).
I had the same issue, and had reset the mode back to non-secure, and all worked OK until some phones were factory reset.
Thanks for the CTL delete information.
I have noticed that the phones don't seem to get an ITL.
I am not a fan of ITL infact they have been a pain in the @rse at times, but do you know why an ITL has not been generated / distributed in my security reset cluster.