06-24-2013 09:46 AM - edited 03-16-2019 06:03 PM
Hello everyone!
Is there any way to check the expiration date of the LSC certificate installed on the IP Phone? For what period is it basically valid?
Thank you!
Solved! Go to Solution.
06-29-2013 03:07 AM
Its the CAPF certificate which needs to be reissued / regenerated.
Follow the procedure as given in the following URL to regenerate CAPF certificate
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/security/8_5_1/secugd/secusbd.html#wp1093886
Akhil Behl
Solutions Architect
akbehl@cisco.com
Author of “Securing Cisco IP Telephony Networks”
http://www.ciscopress.com/title/1587142953
06-29-2013 12:52 AM
Hello,
The default expiration for LSC is 5 years from date of issue.
You can check for the certificate expiration by looking at the CAPF certificate on CUCM since, it is the root for LSC.
For more information on Cisco UC certificates, CAPF, LSC, MIC and so on refer to 'Securing Cisco IP Telephony Networks http://www.amazon.com/dp/1587142953
Regards,
Akhil Behl
Solutions Architect
Author of “Securing Cisco IP Telephony Networks”
http://www.ciscopress.com/title/1587142953
06-29-2013 01:11 AM
Thank you, akbehl
The thing is that some of our IP phones starter unregistering and when I look in debug messages in IP Phone web page, I can see this error
ERR 04:27:43.532340 SECD: EROR:clpState: SSL3 alert read:fatal:certificate expired:<192.168.16.6>
ERR 04:27:43.533242 SECD: EROR:clpState: SSL_connect:failed in SSLv3 read finished A:<192.168.16.6>
ERR 04:27:43.533511 SECD: EROR:clpSetupSsl: ** SSL handshake failed, <192.168.16.6> c:7 s:8
ERR 04:27:43.533717 SECD: EROR:clpSetupSsl: SSL/TLS handshake failed, <192.168.16.6> c:7 s:8
ERR 04:27:43.533917 SECD: EROR:clpSetupSsl: SSL/TLS setup failed, <192.168.16.6> c:7 s:8
ERR 04:27:43.534106 SECD: EROR:clpSndStatus: SSL CLNT ERR, srvr<192.168.16.6>
ERR 04:27:43.534321 SECD: EROR:clpSndStatus: ** SEC-ERR: code:5(SSL_ALERT) subcode:45(EXPIRED_CERT)
ERR 04:27:43.534514 SECD: EROR:clpSndStatus: ** SEC-ERR: desc
Need to mention that we were using MIC certificates for TLS, if I install LSC certificate on those unregistered phones, they register succesfully
I have checked the certificate expiration dates on CUCM, they are all valid except one, which was expired in 2012.
Why do I get those error messages?
06-29-2013 01:26 AM
These messages indicate that the phone certificate is trying to authenticate against an expired certificate on CUCM.
If the MIC based authentication is failing, check if the manufacturing CA certificate is still valid.
Also, it'll be good to have a screen capture of certificates, model of phone and CUCM ver to isolate the issue.
Regards,
Akhil Behl
Solutions Architect
Author of “Securing Cisco IP Telephony Networks”
http://www.ciscopress.com/title/1587142953
06-29-2013 01:32 AM
This is the manufacturing CA:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
6a:69:67:b3:00:00:00:00:00:03
Signature Algorithm: sha1WithRSAEncryption
Issuer: O=Cisco Systems, CN=Cisco Root CA 2048
Validity
Not Before: Jun 10 22:16:01 2005 GMT
Not After : May 14 20:25:42 2029 GMT
Subject: O=Cisco Systems, CN=Cisco Manufacturing CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Phone models affected are 7911 mostly, some 7970 as well. CUCM version is 6.1.2.1000-13
I have only 1 certificate expired, CAPF-57bc7a82.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
17:27:f0:3a:95:0b:3c:4d
Signature Algorithm: sha1WithRSAEncryption
Issuer: O=swt, ST=az, L=swt, C=AZ, CN=CAPF-57bc7a82, OU=1
Validity
Not Before: Oct 18 13:04:04 2007 GMT
Not After : Oct 18 13:04:04 2012 GMT
Subject: O=swt, ST=az, L=swt, C=AZ, CN=CAPF-57bc7a82, OU=1
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
All other certificates are valid at leats up to 2014
06-29-2013 03:07 AM
Its the CAPF certificate which needs to be reissued / regenerated.
Follow the procedure as given in the following URL to regenerate CAPF certificate
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/security/8_5_1/secugd/secusbd.html#wp1093886
Akhil Behl
Solutions Architect
akbehl@cisco.com
Author of “Securing Cisco IP Telephony Networks”
http://www.ciscopress.com/title/1587142953
06-29-2013 03:15 AM
Thank you, I will certainly to it
But the only concern is that it was expired in 2012, but started to give errors only last week. Isnt it strange?
10-13-2014 04:18 AM
Hi Akhil :
we have voice secured cluster 8.6 and suddenly some ip phones get unregistered and after we did update to the CAPF from phone page it registered back again ,
is this normal while the certificate on the server stil valid until 2018 ?
is this normal to phone certificate to be expired ?
is updating the CAPF while authentication mode is Null String solve the expiry issue ?
is there any tool can tell us about the certificate expire date for phones and servers before it get expire ?
also find in the attachment console logs of the phone .
thanks for helping .
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: