I'm working through deleting around 20 old CAPF certs (all -trust) from the Pub in CUCM 10.5.2 cluster I work on, and something is giving me pause for thought.
I regenerated certs across the cluster last October, CM, TVS, Tomcat, IPSec, and CAPF.
I noted the old CAPF cert on my phone's ITL first, and tried to figure out why all the Subs had had CAPF created on them instead of just on the Pub. I drew a blank on that. I don't actually know why CAPF is enabled at all as we don't (and it seems never have) run a secure cluster, as such we don't use CTL on the phones. My understanding is that I can in fact turn the CAPF and CTL Provider Security Services off in the Feature Services list on the Publisher (having read Jonathan Schulenberg's posts on this forum). But I've not plucked up the courage for doing that just yet.
What I have noticed though is that as I delete old CAPF-trust certs from the Pub, I get the unexpected behaviour of the phone resets (see images - removing CAPF-b542db29 caused the 73% drop). The first time I did this I did it during business hours expecting it to be a safe exercise, and got a 66% drop in registered devices from RTMT! I saw the spare phone on my desk reset, and that gave me the shakes, and wrote the rest of my afternoon off!
Not all the CAPF-trust certs cause this behaviour - some cause no resets, and some cause a 10% reset.
I regenerated the 'live' CAPF cert on the Pub in October 2017, along with other certs throughout the cluster, and all the relevant services were restarted back then (TVS, Tomcat, DRF). The ITL file on my phone was updated accordingly and everything seemed fine.
I'm hoping someone can explain what is going on presently; why the resets?
And can I safely take the leap and turn the CTL Provider and CAPF services off on the Pub, and delete the current CAPF certificate, and have done with it once-and-for-all?
I've yet to start working through the certificate stores on the other cluster members, but I hope it doesn't cause the same behaviour...
Thanks in advance.
Nathan.
