cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

919
Views
5
Helpful
2
Replies
Highlighted

CUCM Security- MIC certificates

Hi guys,

I've read in several docs that default root certs (CAP-RTP-001, CAP-RTP-002, Cisco_Manufacturing_CA and Cisco_Root_CA_2048) should be deleted from the trust store in CUCM so that only LSC certs will be used (trusted) to initiate a TLS connection with CUCM.

Deleting these root certs will no allow the phone to initiate TLS connection using it's MIC certificate. 

In other words, CUCM will not trust MIC certs anymore.

What bothers me is that we actually use an existing cert (MIC) to install LSC certs on the phone for the first time.

Won't deleting the root certs that allow us to trust MIC brake this operation??

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: CUCM Security- MIC certificates

Not if you’re careful which trust store you delete them from. You want to delete them from the CallManager-Trust but NOT the CAPF-Trust. The former is which client certifies to allow for phone registration and while the later defines which client certificates to permit for CAPF enrollment.

View solution in original post

2 REPLIES 2
Highlighted

Re: CUCM Security- MIC certificates

Not if you’re careful which trust store you delete them from. You want to delete them from the CallManager-Trust but NOT the CAPF-Trust. The former is which client certifies to allow for phone registration and while the later defines which client certificates to permit for CAPF enrollment.

View solution in original post

Highlighted

Re: CUCM Security- MIC certificates

Great answer Jonathan,

Thanks a lot!