cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
18508
Views
30
Helpful
12
Replies

Removing Certificates from CUCM

Rohit Khajuria
Level 1
Level 1

Hi All

In our environment, one of the Call Manager has some old unused certificates still on the server and its creating the impacts on some services. Now we need to remove these certificates from the server.

We can do it in one way :

CUCM -- OS Administration Page -- Security -- Certificate Management -- Find --  Choose Certificate 

and then we can remove / delete the certificates.

Now, I need to know if there is any other way to remove the certificates.

Regards

Rohit

1 Accepted Solution

Accepted Solutions

Aseem Anand
Cisco Employee
Cisco Employee

Hi Rohit,

You can also remove certificates from CLI:

Remove Certificates via the CLI

Remove CAPF-trust Certificates

set cert delete CAPF <name of certificate>.pem

Remove CallManager-trust Certificates

set cert delete CallManager <name of certificate>.pem

Remove ipsec-trust Certificates

set cert delete ipsec <name of certificate>.pem

Remove Tomcat-trust Certificates

set cert delete tomcat <name of certificate>.pem

Remove TVS-trust Certificates

set cert delete TVS <name of certificate>.pem

http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/200199-CUCM-Certificate-Regeneration-Renewal-Pr.html#anc13

Aseem

(Please rate if useful)

View solution in original post

12 Replies 12

Aseem Anand
Cisco Employee
Cisco Employee

Hi Rohit,

You can also remove certificates from CLI:

Remove Certificates via the CLI

Remove CAPF-trust Certificates

set cert delete CAPF <name of certificate>.pem

Remove CallManager-trust Certificates

set cert delete CallManager <name of certificate>.pem

Remove ipsec-trust Certificates

set cert delete ipsec <name of certificate>.pem

Remove Tomcat-trust Certificates

set cert delete tomcat <name of certificate>.pem

Remove TVS-trust Certificates

set cert delete TVS <name of certificate>.pem

http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/200199-CUCM-Certificate-Regeneration-Renewal-Pr.html#anc13

Aseem

(Please rate if useful)

Hi Aseem

Thanks for your help and  letting me know .

Regards

Hello, Aseem

and Cisco Community.

Could you tell, please, may be you have faced the situation when it is impossible to delete cert from Web because of there is no Common Name of certificate (unable to open or to read it)therefore the last chance (before using root) is to delete cert with CLI command,

But list of cert in cli has the same cert with no Common Name and deleting is impossible as well ?

This is CUCM 10.5

Hi Fedor,

 

In your case you have to open SR to TAC and they will help you to delete certificate from root. Unfortunately, there is no another way to do that.

 

Stanislav.

Stop 'Cisco Certificate Change Notification' service on all the CUCM servers. Then delete the tomcat certificate from each servers. Afterwards, start the 'Cisco Certificate Change Notification' service on all the servers.

 

Thanks

Biyas

corentin masset
Level 1
Level 1

Hello,

I try to delete a certificate CallManager-ECDSA but i dont find correct synthax for delete in cli.

I tried :

set cert delete CallManager-ECDSA XXXXX.pem

Thanks 

Bests regards

If you do a show cert list trust you should get the proper name for the pem file that you then can use to delete the certificate. Apart from that you cannot remove the certificate from anything other than the trust store as it is needed for the actual service of the system.



Response Signature


Hi Roger,

Thank for your quick reply !

With your command, i find the correct name and he has been deleted. And after, i rebooted the server.

But, when i check in GUI, the certificate is present. And the certificate from my web browser is the tomcat-ECDSA ( i deleted the tomcat-ECDSA)

 

Did you follow @Biyas advice?


@Biyas  wrote:
Stop 'Cisco Certificate Change Notification' service on all the CUCM servers. Then delete the tomcat certificate from each servers. Afterwards, start the 'Cisco Certificate Change Notification' service on all the servers.

You do not need to reboot the server after making a change to Tomcat certificates. Just do a utils services restart Cisco Tomcat from CLI will do.

Also again I want to make you aware of that you would not remove the service certificate that is signed with elliptical curve. The command removes the certificate from the Tomcat trust store, but it is still present in the servers own certificate store as it is needed for the services to operate correctly.

Maybe if you could describe what you are trying to do we can better provide you with the help needed?



Response Signature


Thank for the tips.

So how to remove all the self signed certificates to make sure only CA-trusted certificates are used for all communications?

I want to delete all certificates ECDSA on my CUCM, and only use certificates with RSA from my personal PKI.

You cannot remove them, the only thing that you can do is to get the certificates signed by a CA and uploading them to the system.

What you can do is to set what certificates to use by setting these Enterprise Parameters.
image.png



Response Signature


OK thank for your reply, i implementing it.

Have a good day !