cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
22655
Views
35
Helpful
15
Replies

Regeneration of expired all certicates on Communications Manager

Ali Amir
Level 1
Level 1

Hello everyone,

I'm currently working on regenerating all call manager certificates (tomcat, Callmanager, TVS, CAPF). On both publisher and subscriber all of these certificates have been expired but all phones are registered and functional.

CUCM version is 8.5.1 and Non-Secure.

 

I've already checked following articles:

CUCM Certificate Regeneration/Renewal Process

Cisco Unified Communications Manager Security Guide, Release 8.0(2)

CallManager Certificate Expiration and Deletion

How to regenerate self-signed certificates on CUCM, IM&P and CUC

 I've got that I could not regenerate some certificates together.

Which order of certificate regeneration and restarting of services should be concerned?

1 Accepted Solution

Accepted Solutions

Deepak Rawat
Cisco Employee
Cisco Employee

The most important thing to keep in mind is that never regenerate both the CallManager.pem and TVS.pem certificates at the same time. So you can follow the below order:

1) Regenerate the CallManager.pem certificate on the publisher Call Manager followed by restart of CallManager, TVS and TFTP service

2) Regenerate the TVS.pem certificate followed by restart of TVS and TFTP service on the publisher Call Manager

3) Regenerate the CallManager.pem certificate on the subscriber Call Manager followed by restart of CallManager, TVS and TFTP service

4) Regenerate the TVS.pem certificate followed by restart of TVS and TFTP service on the subscriber Call Manager

5) Regenerate the CAPF.pem certificate on the publisher CM server followed by regenerating it on the subscriber CM and then restart CAPF service only on publisher CM

6) Regenerate the tomcat certificate on publisher Call Manager followed by regenerating it on the subscriber server as well

7) Restart the Cisco Tomcat on publisher Call Manager followed by subscriber Call Manager

https://supportforums.cisco.com/document/68701/communications-manager-security-default-and-itl-operation-and-troubleshooting#Regenerating_Certificates_Rebuilding_a_Cluster_Certificate_Expiry

Regards

Deepak

View solution in original post

15 Replies 15

Deepak Rawat
Cisco Employee
Cisco Employee

The most important thing to keep in mind is that never regenerate both the CallManager.pem and TVS.pem certificates at the same time. So you can follow the below order:

1) Regenerate the CallManager.pem certificate on the publisher Call Manager followed by restart of CallManager, TVS and TFTP service

2) Regenerate the TVS.pem certificate followed by restart of TVS and TFTP service on the publisher Call Manager

3) Regenerate the CallManager.pem certificate on the subscriber Call Manager followed by restart of CallManager, TVS and TFTP service

4) Regenerate the TVS.pem certificate followed by restart of TVS and TFTP service on the subscriber Call Manager

5) Regenerate the CAPF.pem certificate on the publisher CM server followed by regenerating it on the subscriber CM and then restart CAPF service only on publisher CM

6) Regenerate the tomcat certificate on publisher Call Manager followed by regenerating it on the subscriber server as well

7) Restart the Cisco Tomcat on publisher Call Manager followed by subscriber Call Manager

https://supportforums.cisco.com/document/68701/communications-manager-security-default-and-itl-operation-and-troubleshooting#Regenerating_Certificates_Rebuilding_a_Cluster_Certificate_Expiry

Regards

Deepak

Deepak thanks for your answer.

- In certificate list I could see some other expired certifications but I couldn't understand which one of them should be also regenerated (check the attachment)?

- Must be phones restarted for every steps of regenerating CallManager and TVS of certifications? In this case it could be 2 times for publisher and 2 times for subscriber.

Hi Shashank,

the first article/document as I above referred is the document you has mentioned.

CUCM Certificate Regeneration/Renewal Process

But you couldn't find any order of regeneration process for all certificates and especially when they have been expired.

Hi farshinejad

I noticed that your certificates already had expired but still your phones/end devices are working.

Shouldn't an expired certificate keep the devices from working as the config files are signed by an expired certificate?

None of the documents i've read says anything about that.

The one you are referring in the attachment are the trust certificates. There is no need to regenerate them since when you will regenerate the tomcat and CM certificates, the associated tomcta-trust and Callmanager-trust will also regenerate on their own. Phones will automatically reset the moment you will regenerate the Callmanager and TVS certificates and since this process will be done 4 times plus the restart of services so it is highly recommended to do this in a maintenance window.

Regards

Deepak

After regenerate the tomcat,CAPF and CM certificates, almost all associated tomcat-trust, CAPF-trust and Callmanager-trust were also regenerate on their own.

But there are two certificates (CAPF-trust, CallManager-trust) that were not regenerated on their own and I've still received RTMT Certificate expiration Notification about them.

Should I delete these certificates or should I do something else?

What is reason of these certificates (CallManager-trust, tomcat-trust ...) when the system has the tomcat,CAPF and CM certificates?

 

You can open the certificate for which you are getting RTMT alerts and check the expiry date to confirm they are indeed expired and then you can delete them. Tomcat, CAPF and CM certificates are the service certificates whereas the certs labeled with Trust are Trust certificates. Refer below for more details:

http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-callmanager/115957-high-level-view-ca-00.html#tomcattomcattrust

Regards

Deepak

Thanks for your answer.


Do have any explaination why these trust certificates were not regenerated on their own after regenerating CallManager and CAPF certificates?

Deleting of this type of expired certificate, that it was not regenerated automatically, does need a restart of services or phones?

 

Deepak,

August 2017 Cisco TAC told me to also restart CTI Manager also.  Do you agree?

 

-JC

Hello Ami,

You didn´t say anything about user impact when you regenerate the IPSec and Tomcat certificates.

CM version: 10.5.2 SU6

5 Server cluster. 

7k devices.

Currently expired certs of 3 of 5 servers. 

 

Would it be advisable to turn on the "Prepare Cluster for Rollback to pre 8.0" feature.   Then perform the certificate regeneration as prescribed by Deepak Rawat?

Thanks

 

If you're worried something might happen with the ITL, yes, you can do that, re-generate all the certs, and then disable the parameter so phones get the new ITL which will use the new certs.

HTH

java

if this helps, please rate