Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
785
Views
5
Helpful
4
Replies

Expired Certs

Go to solution
Cleo Jamison
Level 1
Level 1

‎05-10-2017 02:03 PM - edited ‎03-17-2019 10:18 AM

We have some self-signed certs that have expired. When I regenerate these certs will it require a restart of the Call Manager Server?

tomcat

PUBLISHER

Self-signed

RSA

PUBLISHER

PUBLISHER

02/01/2017

Self-signed certificate generated by system

tomcat-trust

PUBLISHER

Self-signed

RSA

PUBLISHER

PUBLISHER

02/01/2017

Trust Certificate

ipsec

PUBLISHER

Self-signed

RSA

PUBLISHER

PUBLISHER

02/01/2017

Self-signed certificate generated by system

ipsec-trust

PUBLISHER

Self-signed

RSA

PUBLISHER

PUBLISHER

02/01/2017

Trust Certificate

CallManager

PUBLISHER

Self-signed

RSA

PUBLISHER

PUBLISHER

02/01/2017

Self-signed certificate generated by system

CallManager-trust

PUBLISHER

Self-signed

RSA

PUBLISHER

PUBLISHER

02/01/2017

CallManager-trust

CAPF-ded3e58d

Self-signed

RSA

CAPF-ded3e58d

CAPF-ded3e58d

02/01/2017

Trust Certificate

CAPF-trust

CAPF-ded3e58d

Self-signed

RSA

CAPF-ded3e58d

CAPF-ded3e58d

02/01/2017

TVS

PUBLISHER

Self-signed

RSA

PUBLISHER

PUBLISHER

02/01/2017

CAPF

CAPF-09eb24e8

Self-signed

RSA

CAPF-09eb24e8

CAPF-09eb24e8

02/01/2017

CallManager-trust

CAPF-09eb24e8

Self-signed

RSA

CAPF-09eb24e8

CAPF-09eb24e8

02/01/2017

CAPF-trust

CAPF-09eb24e8

Self-signed

RSA

CAPF-09eb24e8

CAPF-09eb24e8

02/01/2017

tomcat-trust

SUBSCRIBER

Self-signed

RSA

SUBSCRIBER

SUBSCRIBER

02/01/2017

Trust Certificate

CallManager-trust

SUBSCRIBER

Self-signed

RSA

SUBSCRIBER

SUBSCRIBER

02/01/2017

CallManager-trust

CAPF-54253ad0

Self-signed

RSA

CAPF-54253ad0

CAPF-54253ad0

02/01/2017

Thanks for your reply.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jaime Valencia
Cisco Employee
Cisco Employee

‎05-10-2017 02:43 PM

Yes, when you re-generate the certificates (or replace them for CA signed), they will tell you what service(s) need to be restarted for the new cert to take effect.

Make sure to read the ITL documentation before doing this, to understand the proper procedure and avoid ITL issues.

HTH

java

if this helps, please rate

View solution in original post

0 Helpful

Go to solution
Jitender Bhandari
Cisco Employee
Cisco Employee

‎05-10-2017 09:59 PM

Hi Cleo,

Along with with Jaime said see below for better understanding.

http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/200199-CUCM-Certificate-Regeneration-Renewal-Pr.html

http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-callmanager/115957-high-level-view-ca-00.html

(Rate if it helps)

JB

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jaime Valencia
Cisco Employee
Cisco Employee

‎05-10-2017 02:43 PM

Yes, when you re-generate the certificates (or replace them for CA signed), they will tell you what service(s) need to be restarted for the new cert to take effect.

Make sure to read the ITL documentation before doing this, to understand the proper procedure and avoid ITL issues.

HTH

java

if this helps, please rate
0 Helpful

Go to solution
Jitender Bhandari
Cisco Employee
Cisco Employee

‎05-10-2017 09:59 PM

Hi Cleo,

Along with with Jaime said see below for better understanding.

http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/200199-CUCM-Certificate-Regeneration-Renewal-Pr.html

http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-callmanager/115957-high-level-view-ca-00.html

(Rate if it helps)

JB

0 Helpful

Go to solution
dohnesor
Cisco Employee
Cisco Employee

‎05-11-2017 12:08 AM

Anything with the -trust is basically a copy of a cert, either from another cluster or itself. They cannot be re-generated.

Anything without the -trust is local to the server i.e. the Private Key of the cert exists in the root access. Here is a summary of what needs to be restarted:

  • Tomcat - restart Tomcat service as well as TVS service
  • CallManager - restart CallManager, TFTP and TVS
  • CAPF - restart CAPF service
  • IPSEC - restart DRF Master and Local
  • TVS - restart TVS and TFTP

IMPORTANT: Always re-generate TVS service last or at least after re-generating CallManager certificate. When you re-generate CallManager the phones will not trust the new ITL file and will only refer to their cached ITL file. They will contact the TVS service over TLS and ask if the new CallManager certificate/ITL file can be trusted to which TVS will reply that it can. As you have not yet re-generated the TVS cert at that time, the phone trusts the TVS server as it's TLS fingerprint exists in it's cached ITL file.

Go to solution
Dennis Mink
VIP Alumni
VIP Alumni

‎05-11-2017 03:26 AM

Cleo, you would only need to restart the relevant services after you have uploaded the new certs, not the whole server. 

check out this link if you are unsure:

http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/200199-CUCM-Certificate-Regeneration-Renewal-Pr.html#anc4

please rate if useful

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents