Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
530
Views
0
Helpful
4
Replies

Replacing Certs on all UC Servers for SHA-1 Phase Out

Salvatore Collora
Level 1
Level 1

‎12-23-2016 08:41 AM - edited ‎03-17-2019 09:02 AM

Hi everyone,

I am planning to replace all certificates on UC servers that are signed with SHA-1 with certificates from our internal CA.  I want to make sure I don't run into any issues with our ITL files for the phones such that I have to delete the ITL files when I do it.  My understanding is that if I don't change the IP address / DNS entry for the servers I should be OK.  In other words, if I just go into the OS Admin and generate a new CSR and have my internal CA issue a new cert and then add my CA cert to the servers for all the services using the "-trust" I should be OK.

Is there a certain order to do things?  I just don't want to brick the phones.  None of our clusters are using secure mode at this point.  I also know about the "Prepare for rollback to pre-8.0" which will just blank the ITL in the phones, but I would imagine this is only necessary if you're going to be changing the hostname or IP address.

Lastly, when doing upgrades, again, if I don't change the IP/hostname, there should be no issues with certificates/ITL on the phones, correct?

Thanks,

Sal Collora

Labels:
0 Helpful
4 Replies 4

Jaime Valencia
Cisco Employee
Cisco Employee

‎12-23-2016 09:49 AM

The answer is yes, and no. Changing the IP has never had anything to do with certs, unless your certs are signed to use the IP as the CN, which is not that common. If you change the hostname/domain (and use that as CN), that does change the certs.

Even if you're not changing anything on the servers, changing the certificates, DOES affect ITL, as it would if you re-generate them.

You don't say which certs you're going to change, but you might want to read this

http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-callmanager/116232-technote-sbd-00.html#anc13

And to the last question, yes, unless you change a setting that does affect the info from the certs, an upgrade will have no bearing in ITL.

HTH

java

if this helps, please rate
0 Helpful

Salvatore Collora
Level 1
Level 1
In response to Jaime Valencia

‎12-23-2016 10:05 AM

Thanks Jaime.  That's good to know. 

0 Helpful

Les Pruden
Level 4
Level 4

‎12-23-2016 09:51 AM

Hi Sal -

Certs are definitely something to be careful with and the order you make changes is important so, like you say, the phones continue to work and they pull new ITL files at each step.

Here is a link to a guide that should help you with this. 

http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/200199-CUCM-Certificate-Regeneration-Renewal-Pr.html

Something else you might consider if you have a support contract with Cisco.  We had a big mess with the certificates on a CUCM cluster for a hospital we acquired.  We had to regenerate / renew many certs on each node (but not the same certs on all nodes - ugg!).  We put our plan together and then opened a TAC case with Cisco.  The Engineer reviewed the plan and provided some valuable input and changed a couple of things.  We used the cluster rollback process for that because we had so many certs to update which worked well.

Regards,

Les

0 Helpful

Salvatore Collora
Level 1
Level 1
In response to Les Pruden

‎12-23-2016 10:04 AM

Thanks Les,

So would you say the absolute safest route is to do the following:

  1. Turn rollback parameter to "True".
  2. Reset all phones to get the new blank ITL.
  3. Generate CSRs for all the necessary services on all servers.
  4. Export the CA certificate from my CA.
  5. Import that CA certificate for all the "-trust" certificates.
  6. Restart the phones again.
  7. Turn rollback to "False"

That seems like the safest route given the doc you sent.  Also, we are completely non-secure mode and there are no phone proxies or VPN or anything like that.

Sal

0 Helpful
Customers Also Viewed These Support Documents