02-15-2017 02:27 AM - edited 03-17-2019 09:32 AM
All,
As part of regenerating self signed certificates that are shortly due to expire, I have to delete the '*-trust' certficates.
From Cisco docs:
Only service certificates (certificate stores that are not labelled with "-trust") can be regenerated. Certificates in the trust stores (certificate stores that are labeled with "-trust") need to be deleted, as they cannot be regenerated.
My question is.... if I delete for example Callmanager-trust expiring self signed certificates do they magically reappear or do they require manual generation?
Thanks
D
Solved! Go to Solution.
02-15-2017 10:09 AM
You need to regenerate the cucm cert first. When you do this you will be able to see a new cucm trust cert generated and available in the list which you could verify with the expiry date. Then you can delete the old trust cert.
HTH
Rajan
02-15-2017 06:09 AM
Hi D,
As mentioned in the below link, you only need to regenerate the expired certs and delete the old trust certificates because
"Regenerate CallManager
Upon regeneration, the CallManager automatically uploads itself to CallManager-trust.
set cert regen CallManager
http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/200199-CUCM-Certificate-Regeneration-Renewal-Pr.html
HTH
Rajan
Pls rate all useful posts
02-15-2017 06:36 AM
Rajan,
Thank you for your response. If I am understanding this correctly:
But my question still remains... When this is performed and when I regenerate the self signed CallManager certificate, will it automatically generate a new self signed Callmanager-trust certificate? How can it upload to the CallManager-trust if it doesn't exist?
Thanks
D
02-15-2017 10:09 AM
You need to regenerate the cucm cert first. When you do this you will be able to see a new cucm trust cert generated and available in the list which you could verify with the expiry date. Then you can delete the old trust cert.
HTH
Rajan
02-16-2017 01:37 AM
Thanks Rajan. I tested this in a lab and all went to plan.
Thanks
D
05-23-2017 01:13 AM
Hi Rajan, I have the same issue because I have some trust certificates and self signed certificates that are going to expire. Also,I have my cluster a little bit more complicated to manage because I have the cluster in mixed mode.My question is: Should I move first the cluster to unsecure before the regeneration of the certificates or can I keep the cluster in mixed mode to regenerate the certificates? Regards. Marc
05-23-2017 01:40 AM
Hi Marc,
What is the version of your CUCM cluster ? Of late there are lot of good changes made in the later versions with respect to certificates.
If it is one of the older versions, you need the eToken which was used initially to rerun the CTL after cert regeneration.
Thanks
Rajan
05-23-2017 01:44 AM
Hi Rajan, it's CUCM version 8.6.
Regards,
Marc
05-23-2017 01:56 AM
Hi Marc,
In that case, you need to regenerate all the required certs, then need to run the CTL client to update the CTL file and restart the required services in order for the phones to get the update CTL file.
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/8_6_1/secugd/sec-861-cm/secuauth.html#wp1029141
HTH
Rajan
05-23-2017 03:28 AM
Thanks Rajan, let me write you a little bit more because you are helping me a lot:
I have in the 8.6 cluster 1 pub server , 2 TFTP and 2 Subscr.
The self signed certificates I have to regenerate are:
- CallManager
- CAPF
- Ipsec
- TVS
- Tomcat : I have only signed by a CA from the customer, the tomcat certificate from the publisher server.
Apart from the self signed certificates I have some trust certificates, call manager trust, tomcat trust,that , correct me if I am wrong, I have to delete after the new trust certificates are generated when the regeneration process of the self signed certificates is done.
So, what I have to do is:
1. Regenerate the next certificates: CallManager, TVS, IPSEC, CAPF, Tomcat.
2. Run the CTL client with the token USB connected to the computer and to the CUCM to update the CTL file
3. Restart the required services from every certificate to get the update CTL file.
Is the process correct?
Regards,
Marc
09-29-2017 07:01 PM
Hi Marc,
We are about to regenerate the expired certificates for our CUCM 8.6 cluster.
We have 1 PUB 4 Subs and 2 TFTPs.
We have a mixed mode cluster as well (CTL files using etokens)
Can you guide me please through the right procedure to do it?
Thank you very much in advance
08-15-2017 08:16 AM
Hello Rajan,
I have a similar question to the ones posted here. I had a number of certificates expire (CallManager, TVS, IPSEC, CAPF, and Tomcat). I have regenerated the self-signed certificates and restarted what I think are all the correct services but some of the CallManager-trust and CAPF-trust certificates did not automatically regenerate. My question is did I miss a step?
I regenerated the certs then restarted the CallManager, TFTP, Tomcat, and the Trust Verification Service.
Everything seems to be working fine but I still show some trust certs not regenerated. Also, RTMT is alerting on expired certs.
I am running version 11.5
08-15-2017 08:23 AM
Hi Peter,
Do you see multiple trust certificates available. If yes, then check the expiry date of those certs. For example, if you see a Valid CUCM certificate with a future expiry date and another one which is expired, then you could safely delete the expired trust certificate.
HTH
Rajan
08-15-2017 08:36 AM
on some of the trust certs I only see the expired cert listed, no duplicate with a current expiration date. For example, I have regenerated the CallManager cert on my publisher so it now has a expiration date of 8/6/2022 but see "CallManager-trust CAPF-9d5b81a9" with an expiration date of 8/6/2017. There are no other certs listed with that common name.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide