CTS - CTMS DTLS

Gonzalo Gasca Meza · ‎06-05-2013

Our CUCM CAPF, PEM certificates are expiring very soon; we are planning to renew them in CUCM…

We have many CTMS servers that we may need to renew these certs as well, although operationally is a nightmare. (Re-create certs, change meeting security, re-upload certs…, etc…)

We gathered a packet capture and saw CTMS presents the certificate it gets from CUCM CAPF, this certificate contains the validity field, does someone knows if CTS will check this validity value when negotiating DTLS?

If so, if certificate from CTMS is expired can we still negotiate DTLS?

As a test, we changed the dates for CTS and CTMS and everything went fine (a secure call was established), but want to double check it. (We opened TAC case, but no progress)“

Thanks

sagsheth · ‎06-07-2013

Hi Gonzalo,

How did you verified that call is DTLS after changing validity in cert?

Regards,

Sagar

Tyler Wilkin · ‎06-07-2013

Hi Gonzalo,

We have a doc on this here: http://www.cisco.com/en/US/docs/telepresence/security_solutions/1_8/ctss_ctms.html#wp1085875

There have been both escalation and the BU that have reviewed your TAC case I see, and the consensus at the end of the case is that there is no shortcut around the certificate expiration. I don't think you can just replace the root CAPF cert for two reasons. One, the new LSC should be signed using the updated CAPF cert and two, to replace a cert on CTMS you need to delete every cert.

I'm not 100% sure if just changing the time on CTMS and CTM fully recreates the situation that would occur if the certificates expire, however even if you found a secure call was working, if it does break after the certificate expires, the certs will be the first thing our support teams point to.

Tyler Wilkin

TAC TelePresence