cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

327
Views
4
Helpful
1
Replies
Highlighted
Explorer

Need to generate a new security certificate

Good Day All,

We are using signed certificates on our CUCM version 7.1 CUCM PUB and SUB, CUC server, and CUPS server.

The certificates have expired.

I have found some documentation on generating a new certificate and that all sounds good, but I just wanted to ask people some questions about the process.

1.  Do I need to install the certificate seperately on each server CUCM-PUB and CUCM-SUB, CUC, and CUPS.  (they go in the OS area so I think I will need to install each seperately.)

2.  Is there any specific order to installing the certificates?

3.  Will installing a new certificate impact the running telephones.  (We are not using encryption)

4.  Does the work need to take place out of hours?

Also, if there are any 'gotchas' from someone who has been there before.... that would be great.

Appreciate any info.

Regards

Amanda

Task

For More Information

Step 1:

Generate a CSR on the server.

See the Generating a Certificate Signing Request topic.

Step 2:

Download the CSR to your PC.

See the Download a Certificate Signing Request topic.

Step 3:

Use the CSR to obtain an application certificate from a CA.

Get information about obtaining application certificates from your CA. See Obtaining Third-Party CA Certificates topic for additional notes.

Step 4:

Obtain the CA root certificate.

Get information about obtaining a root certificate from your CA. See Obtaining Third-Party CA Certificates topic for additional notes.

Step 5:

Upload the CA root certificate to the server.

See the Upload a Certificate topic.

Step 6:

Upload the application certificate to the server.

See the Upload a Certificate topic.

Step 7:

If you updated the certificate for CAPF or Cisco Unified Communications Manager, generate a new CTL file.

See the Cisco Unified Communications Manager Security Guide.

Step 8:

Restart the services that are affected by the new certificate.

For all certificate types, restart the corresponding service (for example, restart the Tomcat service if you updated the Tomcat certificate). In addition, if you updated the certificate for CAPF or Cisco Unified Communications Manager, restart the TFTP service.

Note : If you updated the Tomcat certificate, you also must restart the Connection IMAP Server service in Cisco Unity Connection Serviceability.

See the Cisco Unified Communications Manager Serviceability Administration Guide for information about restarting services.

1 REPLY 1
Highlighted
Enthusiast

Need to generate a new security certificate

Hi,

A good starting point would be the following book from Akhil Behl:

Securing Cisco IP Telephony Networks

http://www.amazon.com/dp/1587142953

The following document from Jason Burns provides a great insite to the mechanics of Cisco's internal PKI implimentation as used by the Security by Default feature:

I also recommend you have a look at PhoneView from UnifiedFX, it has the ability to gather ITL and security information from all your phones as well as delete ITL & CTL files in bulk if you find you have to do that at some stage.

Thanks

Stephen Welsh

CTO

http://www.unifiedfx.com