Thank you, akbehl

The thing is that some of our IP phones starter unregistering  and when I look in debug messages in IP Phone web page, I can see this error

ERR 04:27:43.532340 SECD: EROR:clpState: SSL3 alert read:fatal:certificate expired:<192.168.16.6>

ERR 04:27:43.533242 SECD: EROR:clpState: SSL_connect:failed in SSLv3 read finished A:<192.168.16.6>

ERR 04:27:43.533511 SECD: EROR:clpSetupSsl: ** SSL handshake failed, <192.168.16.6> c:7 s:8

ERR 04:27:43.533717 SECD: EROR:clpSetupSsl: SSL/TLS handshake failed, <192.168.16.6> c:7 s:8

ERR 04:27:43.533917 SECD: EROR:clpSetupSsl: SSL/TLS setup failed, <192.168.16.6> c:7 s:8

ERR 04:27:43.534106 SECD: EROR:clpSndStatus: SSL CLNT ERR, srvr<192.168.16.6>

ERR 04:27:43.534321 SECD: EROR:clpSndStatus: ** SEC-ERR: code:5(SSL_ALERT) subcode:45(EXPIRED_CERT)

ERR 04:27:43.534514 SECD: EROR:clpSndStatus: ** SEC-ERR: desc

Need  to mention that we were using MIC certificates for TLS, if I install  LSC certificate on those unregistered phones, they register succesfully

I have checked the certificate expiration dates on CUCM, they are all valid except one, which was expired in 2012.

Why do I get those error messages?

These messages indicate that the phone certificate is trying to authenticate against an expired certificate on CUCM.

If the MIC based authentication is failing, check if the manufacturing CA certificate is still valid.

Also, it'll be good to have a screen capture of certificates, model of phone and CUCM ver to isolate the issue.

Regards,

Akhil Behl
Solutions Architect

Author of “Securing Cisco IP Telephony Networks”
http://www.ciscopress.com/title/1587142953

This is the manufacturing CA:

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

            6a:69:67:b3:00:00:00:00:00:03

        Signature Algorithm: sha1WithRSAEncryption

        Issuer: O=Cisco Systems, CN=Cisco Root CA 2048

        Validity

            Not Before: Jun 10 22:16:01 2005 GMT

            Not After : May 14 20:25:42 2029 GMT

        Subject: O=Cisco Systems, CN=Cisco Manufacturing CA

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

Phone models affected are 7911 mostly, some 7970 as well. CUCM version is 6.1.2.1000-13

I have only 1 certificate expired, CAPF-57bc7a82.pem

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

            17:27:f0:3a:95:0b:3c:4d

        Signature Algorithm: sha1WithRSAEncryption

        Issuer: O=swt, ST=az, L=swt, C=AZ, CN=CAPF-57bc7a82, OU=1

        Validity

            Not Before: Oct 18 13:04:04 2007 GMT

            Not After : Oct 18 13:04:04 2012 GMT

        Subject: O=swt, ST=az, L=swt, C=AZ, CN=CAPF-57bc7a82, OU=1

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

            RSA Public Key: (1024 bit)

All other certificates are valid at leats up to 2014

Thank you, I will certainly to it

But the only concern is that it was expired in 2012, but started to give errors only last week. Isnt it strange?

Hi Akhil :

we have voice secured cluster 8.6 and suddenly some ip phones get unregistered and after we did update to the CAPF from phone page it registered back again ,

is this normal while the certificate on the server stil valid until 2018 ?

is this normal to phone certificate to be expired ?

is updating the CAPF while authentication mode is Null String solve the expiry issue ?

is there any tool can tell us about the certificate expire date for phones and servers before it get expire ?

also find in the attachment console logs of the phone .

thanks for helping .