Solved: CUCM Security- MIC certificates

Pasha Teplitsky · ‎12-04-2017

Hi guys,

I've read in several docs that default root certs (CAP-RTP-001, CAP-RTP-002, Cisco_Manufacturing_CA and Cisco_Root_CA_2048) should be deleted from the trust store in CUCM so that only LSC certs will be used (trusted) to initiate a TLS connection with CUCM.

Deleting these root certs will no allow the phone to initiate TLS connection using it's MIC certificate.

In other words, CUCM will not trust MIC certs anymore.

What bothers me is that we actually use an existing cert (MIC) to install LSC certs on the phone for the first time.

Won't deleting the root certs that allow us to trust MIC brake this operation??

Jonathan Schulenberg · ‎12-06-2017

Not if you’re careful which trust store you delete them from. You want to delete them from the CallManager-Trust but NOT the CAPF-Trust. The former is which client certifies to allow for phone registration and while the later defines which client certificates to permit for CAPF enrollment.

View solution in original post

Jonathan Schulenberg · ‎12-06-2017

Not if you’re careful which trust store you delete them from. You want to delete them from the CallManager-Trust but NOT the CAPF-Trust. The former is which client certifies to allow for phone registration and while the later defines which client certificates to permit for CAPF enrollment.

Pasha Teplitsky · ‎12-12-2017

Great answer Jonathan,

Thanks a lot!