Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10485
Views
5
Helpful
13
Replies

Trust certificates regeneration

Go to solution
drbabbers
Level 3
Level 3

‎02-15-2017 02:27 AM - edited ‎03-17-2019 09:32 AM

All,

As part of regenerating self signed certificates that are shortly due to expire, I have to delete the '*-trust' certficates.

From Cisco docs:

Remove and Regenerate Certificates in CUCM

Only service certificates (certificate stores that are not labelled with "-trust") can be regenerated. Certificates in the trust stores (certificate stores that are labeled with "-trust") need to be deleted, as they cannot be regenerated.

My question is.... if I delete for example Callmanager-trust expiring self signed certificates do they magically reappear or do they require manual generation?

Thanks

D

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rajan
VIP Alumni
VIP Alumni
In response to drbabbers

‎02-15-2017 10:09 AM

You need to regenerate the cucm cert first. When you do this you will be able to see a new cucm trust cert generated and available in the list which you could verify with the expiry date. Then you can delete the old trust cert.

HTH

Rajan

View solution in original post

13 Replies 13

Go to solution
Rajan
VIP Alumni
VIP Alumni

‎02-15-2017 06:09 AM

Hi D,

As mentioned in the below link, you only need to regenerate the expired certs and delete the old trust certificates because 

"Regenerate CallManager

Upon regeneration, the CallManager automatically uploads itself to CallManager-trust.

set cert regen CallManager

http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/200199-CUCM-Certificate-Regeneration-Renewal-Pr.html

HTH

Rajan

Pls rate all useful posts

0 Helpful

Go to solution
drbabbers
Level 3
Level 3
In response to Rajan

‎02-15-2017 06:36 AM

Rajan,

Thank you for your response. If I am understanding this correctly:

  • Delete the self signed CallManager-trust (root) certificate
  • Regenerate the self-signed CallManager certificate

But my question still remains... When this is performed and when I regenerate the self signed CallManager certificate, will it automatically generate a new self signed Callmanager-trust certificate? How can it upload to the CallManager-trust if it doesn't exist?

Thanks

D

0 Helpful

Go to solution
Rajan
VIP Alumni
VIP Alumni
In response to drbabbers

‎02-15-2017 10:09 AM

You need to regenerate the cucm cert first. When you do this you will be able to see a new cucm trust cert generated and available in the list which you could verify with the expiry date. Then you can delete the old trust cert.

HTH

Rajan

Go to solution
drbabbers
Level 3
Level 3
In response to Rajan

‎02-16-2017 01:37 AM

Thanks Rajan. I tested this in a lab and all went to plan.

Thanks

D

0 Helpful

Go to solution
marcsalom77
Level 1
Level 1
In response to Rajan

‎05-23-2017 01:13 AM

Hi Rajan, I have the same issue because I have some trust certificates and self signed certificates that are going to expire. Also,I have my cluster a little bit more complicated to manage because I have the cluster in mixed mode.My question is: Should I move first the cluster to unsecure before the regeneration of the certificates or can I keep the cluster in mixed mode to regenerate the certificates? Regards. Marc

0 Helpful

Go to solution
Rajan
VIP Alumni
VIP Alumni
In response to marcsalom77

‎05-23-2017 01:40 AM

Hi Marc,

What is the version of your CUCM cluster ? Of late there are lot of good changes made in the later versions with respect to certificates.

If it is one of the older versions, you need the eToken which was used initially to rerun the CTL after cert regeneration.

Thanks

Rajan

0 Helpful

Go to solution
marcsalom77
Level 1
Level 1
In response to Rajan

‎05-23-2017 01:44 AM

Hi Rajan, it's CUCM version 8.6.

Regards,

Marc

 

0 Helpful

Go to solution
Rajan
VIP Alumni
VIP Alumni
In response to marcsalom77

‎05-23-2017 01:56 AM

Hi Marc,

In that case, you need to regenerate all the required certs, then need to run the CTL client to update the CTL file and restart the required services in order for the phones to get the update CTL file.

"Updating the CTL File" section of the below document mentions this:

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/8_6_1/secugd/sec-861-cm/secuauth.html#wp1029141

HTH

Rajan

0 Helpful

Go to solution
marcsalom77
Level 1
Level 1
In response to Rajan

‎05-23-2017 03:28 AM

Thanks Rajan, let me write you a little bit more because you are helping me a lot:

I have in the 8.6 cluster 1 pub server , 2 TFTP and 2 Subscr.

The self signed certificates I have to regenerate are:

- CallManager

- CAPF

- Ipsec

- TVS

- Tomcat : I have only signed by a CA from the customer, the tomcat certificate from the publisher server.

Apart from the self signed certificates I have  some trust certificates, call manager trust, tomcat trust,that , correct me if I am wrong, I have to delete after the new trust certificates are generated when the regeneration process of the self signed certificates is done.

So, what I have to do is:

1. Regenerate the next certificates: CallManager, TVS, IPSEC, CAPF, Tomcat.

2. Run the CTL client with the token USB connected to the computer and to the CUCM to update the CTL file

3. Restart the required services from every certificate to get the update CTL file.

Is the process correct?

Regards,

Marc

0 Helpful

Go to solution
Youssef Aoufi
Level 3
Level 3
In response to marcsalom77

‎09-29-2017 07:01 PM

 Hi Marc,

We are about to regenerate the expired certificates for our CUCM 8.6 cluster.

We have 1 PUB 4 Subs and 2 TFTPs.

We have a mixed mode cluster as well (CTL files using etokens)

Can you guide me please through the right procedure to do it?

 

Thank you very much in advance 

0 Helpful

Go to solution
Peter Arment
Level 1
Level 1
In response to Rajan

‎08-15-2017 08:16 AM

Hello Rajan,

I have a similar question to the ones posted here. I had a number of certificates expire (CallManager, TVS, IPSEC, CAPF, and Tomcat). I have regenerated the self-signed certificates and restarted what I think are all the correct services but some of the CallManager-trust and CAPF-trust certificates did not automatically regenerate. My question is did I miss a step?

I regenerated the certs then restarted the CallManager, TFTP, Tomcat, and the Trust Verification Service.

Everything seems to be working fine but I still show some trust certs not regenerated. Also, RTMT is alerting on expired certs.

I am running version 11.5

0 Helpful

Go to solution
Rajan
VIP Alumni
VIP Alumni
In response to Peter Arment

‎08-15-2017 08:23 AM

Hi Peter,

Do you see multiple trust certificates available. If yes, then check the expiry date of those certs. For example, if you see a Valid CUCM certificate with a future expiry date and another one which is expired, then you could safely delete the expired trust certificate. 

HTH

Rajan

0 Helpful

Go to solution
Peter Arment
Level 1
Level 1
In response to Rajan

‎08-15-2017 08:36 AM

on some of the trust certs I only see the expired cert listed, no duplicate with a current expiration date. For example, I have regenerated the CallManager cert on my publisher so it now has a expiration date of 8/6/2022 but see "CallManager-trust CAPF-9d5b81a9" with an expiration date of 8/6/2017. There are no other certs listed with that common name.

0 Helpful
Customers Also Viewed These Support Documents