Showing results for 
Search instead for 
Did you mean: 

AMA-CUCM Troubleshooting: Best Practices for Reading Trace Files

Hall of Fame Master

Jamie is correct, the cert on

Jamie is correct, the cert on the Expressway-E needs to be publicly signed, your Expressway-C and CUCM, IMP, CUC can run internally signed certs.


Re: Jamie is correct, the cert on

I have faced this issue as well where certain 7821 phones are registering fine through the EXP-E and other are not, reporting that they cannot trust the EXP-E certificate. Unfortunately you have to stage all the phones first on premises to avoid this issue since the Cisco documentation is reporting the following:


"Certificate provisioning to remote endpoints is not supported over MRA. For example, the Certificate Authority Proxy Function (CAPF). If you can do the first-time configuration on premises (inside the firewall) including CAPF enrolment, then these endpoints can use encrypted TFTP configuration files over MRA. But you can't do the CAPF enrolment over MRA, so you must bring the endpoints back on-premises for subsequent certificate operations."


So likely phones with old firmware will not able trust the certificate and to log in through the EXP-E. That was my case.

Rising star

Re: Jamie is correct, the cert on

That doesn't make a lot of sense though


The root CA list may be in the firmware and may be updated , I could see that happening . CAPF doesn't really have anything to do with it which is what that's referring to.


Granted if the firmware were out of date and need updating, and it can't connect to the Expressway to find out what it needs to do, then it won't work.

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards