12-18-2018 07:23 PM - edited 03-17-2019 01:51 PM
Hello Experts,
I have more than 100 expired callmanager-trust certificates. Do I need to regenerate them all one by one? Pleasse note that the cluster security mode is INSECURE. Please see the attached screenshot.
Thanks,
MK
12-18-2018 07:52 PM - edited 12-18-2018 07:53 PM
Hi @mightykin,
I hope this discussion can guide you:
https://community.cisco.com/t5/ip-telephony-and-phones/trust-certificates-regeneration/td-p/3080422
Regards
12-18-2018 08:25 PM
Most of those do not even belong to that cluster, so you cannot re-generate them, most likely each CAPF certificate belongs to other cluster that you wanted to trust, you would need to import the new certificates from the other clusters (and re-generate them on the other clusters if necessary)
12-18-2018 08:49 PM
We have only one cluster. I don't understand what you mean by other cluster.
As we are in INSCURE mode, we probably don't even need to regenerate CAPF and will need to delete all CAPF certs. How Can I delete all CAPF certs. As I mentionned there are more than 100 expired callmanager-trust where the Distribution is CAPF. It will be very time consuming to use the GUI and delete them one by one. I thought to use the following CLI command to delete them all but it looks like even with CLI I have to go one by one
set cert delete CAPF <name of certificate>.pem
Thanks,
MK
12-19-2018 04:22 AM
sorry mighty king but AFAIK there is no bulk delete option, i went through the same thing myself recently. do a few every day and it ll be done in no time.
12-19-2018 10:18 AM
Hi Dennis,
I also have many expired tomcat-trust and callmanager-trust certs for which there's no option to regenerate. Can I use the "set cert bulk export tomcat" command to export the entire unit and delete the expired one and import them back using "set cert bulk import tomcat" command? Do I need to stop and start any services after deleting the expired certs?
Thanks,
MK
12-20-2018 09:17 AM
Can I upload the new tomcat cert during the operation hours and restart the tomcat service after hours? I believe the new cert wont be effective until the tomcat service is restarted. It that right?
Thanks,
Mk
12-20-2018 09:25 AM
Correct, a new service certificate requires a service restart for the new certificate to become active.
12-20-2018 09:27 AM
Thanks Jaime
12-20-2018 09:37 AM
One more question:
I have an existing Multi-server(SAN) tomcat cert for which I don't see any tomcat-trust. Is that normal? I always was under impression that as soon as a tomcat cert is regenerated, signed and uploaded, a new tomcat-trust file will be generated with the same expiry date. Am I mistaken?
Thanks,
Mk
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide