Re: Phones not able to register in secure mode cucm 12.5

Mihkel Laur · ‎05-20-2022

Hi!

I recently updated certificates in CUCM 12.5 as they were about to expire.

We now have the issue where phones (7821 and 8845) are unable to register when Security mode: Encrypted.

Some facts:

CUCM version 12.5

LSC installed on phones

Secure SIP profile on phones

In the call manager trust store, the new CAPF exists.
Certificates were signed by a third party and templates were created according to cisco guides.
By using MIC phones are able to register with secure mode.

The phones get the newly generated CAPF certifiate, it is seen on the phone that the old is gone and new is in.

The phones are only able to register with CUCM if the have a non-secure phone profile (with MIC certificates they are able to register)

This leads me to believe that there is some sort of certifiacte issue with callmanager not trusting the CAPF signed certificates?
Network side should not be an issue as secure mode is possible with MIC certificates.

b.winter · ‎05-22-2022

Have you updated the CTL via CLI?

Do the phones have the new certs within their CTL?

Sounds to me, that the phones don't trust the new certs and that's why they aren't registering.

Mihkel Laur · ‎05-23-2022

Hi!

Thanks for the reply.

Yes I updated the CTL via CLI.

CTL file with the new CAPF is visible on the phones but not registering.

The new CAPF is in the callmanagers trust store.