Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
777
Views
15
Helpful
9
Replies

Regenerating CUCM certificates

mightyking
Level 6
Level 6

‎12-18-2018 07:23 PM - edited ‎03-17-2019 01:51 PM

Hello Experts,

I have more than 100 expired callmanager-trust certificates. Do I need to regenerate them all one by one? Pleasse note that the cluster security mode is INSECURE. Please see the attached screenshot.

 

Thanks,

 

MK

Labels:
Preview file
61 KB
0 Helpful
9 Replies 9

luis_cordova
VIP Alumni
VIP Alumni

‎12-18-2018 07:52 PM - edited ‎12-18-2018 07:53 PM

Hi @mightykin,

 

I hope this discussion can guide you:

 

https://community.cisco.com/t5/ip-telephony-and-phones/trust-certificates-regeneration/td-p/3080422

 

Regards

Jaime Valencia
Cisco Employee
Cisco Employee

‎12-18-2018 08:25 PM

Most of those do not even belong to that cluster, so you cannot re-generate them, most likely each CAPF certificate belongs to other cluster that you wanted to trust, you would need to import the new certificates from the other clusters (and re-generate them on the other clusters if necessary)

HTH

java

if this helps, please rate
0 Helpful

mightyking
Level 6
Level 6
In response to Jaime Valencia

‎12-18-2018 08:49 PM

We have only one cluster. I don't understand what you mean by other cluster.

As we are in INSCURE mode, we probably don't even need to regenerate CAPF and will need to delete all CAPF certs. How Can I delete all CAPF certs. As I mentionned there are more than 100 expired callmanager-trust where the Distribution is CAPF. It will be very time consuming to use the GUI and delete them one by one. I thought to use the following CLI command to delete them all but it looks like even with CLI I have to go one by one

 

set cert delete CAPF <name of certificate>.pem

 

Thanks,

 

MK

 

0 Helpful

Dennis Mink
VIP Alumni
VIP Alumni
In response to mightyking

‎12-19-2018 04:22 AM

sorry mighty king but AFAIK there is no bulk delete option, i went through the same thing myself recently. do a few every day and it ll be done in no time.

Please remember to rate useful posts, by clicking on the stars below.

mightyking
Level 6
Level 6
In response to Dennis Mink

‎12-19-2018 10:18 AM

Hi Dennis,

I also have many expired tomcat-trust and callmanager-trust certs for which there's no option to regenerate. Can I use the "set cert bulk export tomcat" command to export the entire unit and delete the expired one and import them back using "set cert bulk import tomcat" command? Do I need to stop and start any services after deleting the expired certs?

 

Thanks,

 

MK

0 Helpful

mightyking
Level 6
Level 6
In response to mightyking

‎12-20-2018 09:17 AM

Can I upload the new tomcat cert during the operation hours and restart the tomcat service after hours? I believe the new cert wont be effective until the tomcat service is restarted. It that right?

 

Thanks,

 

Mk

0 Helpful

Jaime Valencia
Cisco Employee
Cisco Employee
In response to mightyking

‎12-20-2018 09:25 AM

Correct, a new service certificate requires a service restart for the new certificate to become active.

HTH

java

if this helps, please rate

mightyking
Level 6
Level 6
In response to Jaime Valencia

‎12-20-2018 09:27 AM

Thanks Jaime

0 Helpful

mightyking
Level 6
Level 6
In response to mightyking

‎12-20-2018 09:37 AM

One more question:

I have an existing Multi-server(SAN) tomcat cert for which I don't see any tomcat-trust. Is that normal? I always was under impression that as soon as a tomcat cert is regenerated, signed and uploaded, a new tomcat-trust file will be generated with the same expiry date. Am I mistaken?

 

Thanks,

 

Mk

0 Helpful
Customers Also Viewed These Support Documents