Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1921
Views
0
Helpful
7
Replies

CUCM - Phone VPN SSL Certificate Renewal Process

Quintin.Mayo
Level 3
Level 3

‎06-07-2018 04:34 AM - edited ‎03-13-2019 10:15 PM

Hi,

 

We need to renewal our Phone VPN SSL certificate for our remote phones. The certificate is a Signed certificate from GoDaddy. We were sent three files two crt and one pem, I believe we replace the expiring Phone VPN certificate  with the pem file but not sure what we do with the two crt files. Can anyone explain what is needed with the two crt files? Any assistance would be greatly appreciated.

 

Thanks,

Labels:
0 Helpful
7 Replies 7

R0g22
Cisco Employee
Cisco Employee

‎06-07-2018 04:38 AM

The two cert files should be the Root CA and subordinate CA.
Open the certs and check the Issued To and Issued by fields.

1. Root CA will have both of them pointing to itself for eg godaddyCA.
2. Subordinate will have its signer as the Root CA so you would see Issued by as godaddyCA.

0 Helpful

Quintin.Mayo
Level 3
Level 3
In response to R0g22

‎06-07-2018 04:51 AM

Hi,

 

Thanks for the update. My question now is what do we do with the Root and Subordinate files on the CUCM?

 

Thanks,

0 Helpful

R0g22
Cisco Employee
Cisco Employee
In response to Quintin.Mayo

‎06-07-2018 06:09 AM

Who is the VPN headhend and/or webvpn gateway ?

0 Helpful

Quintin.Mayo
Level 3
Level 3
In response to R0g22

‎06-07-2018 07:04 AM

Hi,

 

The customer has an ASA as the headend device.

0 Helpful

R0g22
Cisco Employee
Cisco Employee
In response to Quintin.Mayo

‎06-07-2018 07:51 AM

The certificate chain/root-intermediate certs need to go into the ASA. The ASA identity cert will need to go to CUCM in the Phone-VPN-trust store. Post this go to the VPN Gateway Configuration and make sure new certificate is selected along with the old certificate.
If the ASA certificate has not expired, you can push the new hash/config file to the ALREADY registered phone(s) and they will re-authenticate with the ASA using the new hash. If the certificate expires before you go through this procedure, then the Phones will need to be moved locally to the CUCM site and the config uploaded or have the IP Phones registered over/through NAT to CUCM to update the config.

Rule of thumb - as long as the phones are registered over VPN, the new config file/hash can be pushed. Not after the certs have expired.

0 Helpful

Quintin.Mayo
Level 3
Level 3
In response to R0g22

‎06-07-2018 08:02 AM

Great information! I have one more question, how do we push the new config file/hash to the phones?

0 Helpful

R0g22
Cisco Employee
Cisco Employee
In response to Quintin.Mayo

‎06-07-2018 08:08 AM

You reset the phones like we do normally post saving all the necessary changes which in this case would be the VPN gateway config on CUCM.

0 Helpful
Customers Also Viewed These Support Documents