Showing results for 
Search instead for 
Did you mean: 

Upgrade CUCM phone security issue


I have a call manager 6.1 and i will upgrade it to 8.5.

the issue is that i have a ctl installed in my version 6 and secured ip phone and i want to work with the same CTL in version 8 without upgrading it.
i don't want to have go through each phone and upgrade the CTL.
can upgrade my CUCM to 8 without modifying the CTL and what's the procedure.



can upgrade my CUCM to 8 without modifying the CTL and what's the procedure.

As long as you do not renew or regenerate any of the certificates included in the CTL (CUCM, TFTP, CAPF, etc) you can upgrade the cluster without rebuilding the CTL. Also, as long as a new version of the CTL is signed by at least one of the tokens that was included in the version already downloaded, the phone will automatically download a newer CTL version.

The CTL Client on your workstation would have to be upgraded the next time you need to modify the CTL though.

Lastly, be sure that you understand the new TVS and ITL mechanisms in CUCM 8.0+. Both of them interact with CTL if you have a mixed mode cluster.


Hi jonathan

when I upgrade the cluster, and i take a phone directly from version six to my new version 8 it doesn't want to register and is rejected (security issue) ,  when I remove the security profile from the phone then the phone moved from the version 6 to version 8 works.

the issue is that I have 4000 ip phone to  move from the version 6 to version 8 and need the security to be set.



Moving a phone from one cluster to another, as opposed to upgrading the same 6.x cluster to 8.0 is an entirely different matter.

If you are changing clusters and both are in mixed mode than the new CTL must be signed by one of the tokens that was included in the 6.x CTL; otherwise, the phone will not accept the new CTL nor the ITL and by extension it's TFTP config file.


Hi jonathan,

In fact i am moving from physical to virtual,

Please tell me what's the procedure to do the upgrade without the need to go through  all the phone.

should i sign the CTL before the DRS procedure in the version 6 or After?

If i sign the CTL and upload it to new CUCM 8, all the phone will automaticaly get new ctl? or there is a conflict between the old CTL and the new one?

if I have a DNS in my version 6 installation is there any issue for security  if I install version 8 without DNS?

Thank you for your help


If you're migrating to UCS the way this should go is:

  • Upgrade the MCS servers to 8.0(2) or newer so that it supports UCS.
  • Install the exact same upgraded version on UCS.
  • Perform a DRS backup of the MCS cluster and restore it to the UCS install one node at a time.
  • Upgrade the UCS cluster to 8.6 or beyond (which MCS likely didn't support).

If you do a DRS backup and restore the certificates and the CTL file should come forward with it. I'm confused why you're talking about building a new 8.x cluster and moving toward it.

If you're deadset on doing a new cluster then you would want to reuse the same security tokens to sign your 8.x CTL file. Since those tokens are already trusted in the 6.x CTL the phone will accept the new CTL.


Hi jonathan,

Yes, I am using DRS from my 6 version to my version 8.

If I understand well, I have just to sign my version 6 CTL with version 8 call manager and phone can register with the version 8?


Hi Jonathan,

1stly Excellent post thanks for sharing !

quick questions  regarding the upgrade and  security

We are migrating a cluster from 7.1 MCS appliance to 8.6 on UCS,

The upgrade process we are using is as follows.

1. Upgrade exsiting 7.1.5 to 8.0.3 - Take DRS backup

2. Build 8.0.3 on new UCS using the DRS backup above

3. Upgrade this now to 8.6

Jonathan you mention  --> If you do a DRS backup and restore the certificates and the CTL file should come forward with it.

Is  there any chance the CTL file wont come across to 8.0.3 / then 8.6 after upgrdae on UCS or any platform?

And if for instance  the CTL   file didnt come across with upgrade  what is the process to rectify?

Would we reuse the  same security tokens from 7.1.5  to sign a new 8.x CTL file on the 8.6 box?

Also are there any gotchas we need to be aware i.e. dependancies that will effect the CTL for example

Changing hostname once we upgrade to 8.6 on UCS

Changing IP address once we upgrade to 8.6 on UCS

Changing DNS

Mac address changing


thank you kindly