05-10-2017 02:03 PM - edited 03-17-2019 10:18 AM
We have some self-signed certs that have expired. When I regenerate these certs will it require a restart of the Call Manager Server?
tomcat |
PUBLISHER |
Self-signed |
RSA |
PUBLISHER |
PUBLISHER |
02/01/2017 |
Self-signed certificate generated by system |
tomcat-trust |
PUBLISHER |
Self-signed |
RSA |
PUBLISHER |
PUBLISHER |
02/01/2017 |
Trust Certificate |
ipsec |
PUBLISHER |
Self-signed |
RSA |
PUBLISHER |
PUBLISHER |
02/01/2017 |
Self-signed certificate generated by system |
ipsec-trust |
PUBLISHER |
Self-signed |
RSA |
PUBLISHER |
PUBLISHER |
02/01/2017 |
Trust Certificate |
CallManager |
PUBLISHER |
Self-signed |
RSA |
PUBLISHER |
PUBLISHER |
02/01/2017 |
Self-signed certificate generated by system |
CallManager-trust |
PUBLISHER |
Self-signed |
RSA |
PUBLISHER |
PUBLISHER |
02/01/2017 |
|
CallManager-trust |
CAPF-ded3e58d |
Self-signed |
RSA |
CAPF-ded3e58d |
CAPF-ded3e58d |
02/01/2017 |
Trust Certificate |
CAPF-trust |
CAPF-ded3e58d |
Self-signed |
RSA |
CAPF-ded3e58d |
CAPF-ded3e58d |
02/01/2017 |
|
TVS |
PUBLISHER |
Self-signed |
RSA |
PUBLISHER |
PUBLISHER |
02/01/2017 |
|
CAPF |
CAPF-09eb24e8 |
Self-signed |
RSA |
CAPF-09eb24e8 |
CAPF-09eb24e8 |
02/01/2017 |
|
CallManager-trust |
CAPF-09eb24e8 |
Self-signed |
RSA |
CAPF-09eb24e8 |
CAPF-09eb24e8 |
02/01/2017 |
|
CAPF-trust |
CAPF-09eb24e8 |
Self-signed |
RSA |
CAPF-09eb24e8 |
CAPF-09eb24e8 |
02/01/2017 |
|
tomcat-trust |
SUBSCRIBER |
Self-signed |
RSA |
SUBSCRIBER |
SUBSCRIBER |
02/01/2017 |
Trust Certificate |
CallManager-trust |
SUBSCRIBER |
Self-signed |
RSA |
SUBSCRIBER |
SUBSCRIBER |
02/01/2017 |
|
CallManager-trust |
CAPF-54253ad0 |
Self-signed |
RSA |
CAPF-54253ad0 |
CAPF-54253ad0 |
02/01/2017 |
Thanks for your reply.
Solved! Go to Solution.
05-10-2017 02:43 PM
Yes, when you re-generate the certificates (or replace them for CA signed), they will tell you what service(s) need to be restarted for the new cert to take effect.
Make sure to read the ITL documentation before doing this, to understand the proper procedure and avoid ITL issues.
05-10-2017 09:59 PM
Hi Cleo,
Along with with Jaime said see below for better understanding.
http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/200199-CUCM-Certificate-Regeneration-Renewal-Pr.html
http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-callmanager/115957-high-level-view-ca-00.html
(Rate if it helps)
JB
05-10-2017 02:43 PM
Yes, when you re-generate the certificates (or replace them for CA signed), they will tell you what service(s) need to be restarted for the new cert to take effect.
Make sure to read the ITL documentation before doing this, to understand the proper procedure and avoid ITL issues.
05-10-2017 09:59 PM
Hi Cleo,
Along with with Jaime said see below for better understanding.
http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/200199-CUCM-Certificate-Regeneration-Renewal-Pr.html
http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-callmanager/115957-high-level-view-ca-00.html
(Rate if it helps)
JB
05-11-2017 12:08 AM
Anything with the -trust is basically a copy of a cert, either from another cluster or itself. They cannot be re-generated.
Anything without the -trust is local to the server i.e. the Private Key of the cert exists in the root access. Here is a summary of what needs to be restarted:
IMPORTANT: Always re-generate TVS service last or at least after re-generating CallManager certificate. When you re-generate CallManager the phones will not trust the new ITL file and will only refer to their cached ITL file. They will contact the TVS service over TLS and ask if the new CallManager certificate/ITL file can be trusted to which TVS will reply that it can. As you have not yet re-generated the TVS cert at that time, the phone trusts the TVS server as it's TLS fingerprint exists in it's cached ITL file.
05-11-2017 03:26 AM
Cleo, you would only need to restart the relevant services after you have uploaded the new certs, not the whole server.
check out this link if you are unsure:
http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/200199-CUCM-Certificate-Regeneration-Renewal-Pr.html#anc4
please rate if useful
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide