06-05-2013 01:32 PM - edited 03-18-2019 01:14 AM
Our CUCM CAPF, PEM certificates are expiring very soon; we are planning to renew them in CUCM…
We have many CTMS servers that we may need to renew these certs as well, although operationally is a nightmare. (Re-create certs, change meeting security, re-upload certs…, etc…)
We gathered a packet capture and saw CTMS presents the certificate it gets from CUCM CAPF, this certificate contains the validity field, does someone knows if CTS will check this validity value when negotiating DTLS?
If so, if certificate from CTMS is expired can we still negotiate DTLS?
As a test, we changed the dates for CTS and CTMS and everything went fine (a secure call was established), but want to double check it. (We opened TAC case, but no progress)“
Thanks
06-07-2013 02:38 AM
Hi Gonzalo,
How did you verified that call is DTLS after changing validity in cert?
Regards,
Sagar
06-07-2013 10:17 AM
Hi Gonzalo,
We have a doc on this here: http://www.cisco.com/en/US/docs/telepresence/security_solutions/1_8/ctss_ctms.html#wp1085875
There have been both escalation and the BU that have reviewed your TAC case I see, and the consensus at the end of the case is that there is no shortcut around the certificate expiration. I don't think you can just replace the root CAPF cert for two reasons. One, the new LSC should be signed using the updated CAPF cert and two, to replace a cert on CTMS you need to delete every cert.
I'm not 100% sure if just changing the time on CTMS and CTM fully recreates the situation that would occur if the certificates expire, however even if you found a secure call was working, if it does break after the certificate expires, the certs will be the first thing our support teams point to.
Tyler Wilkin
TAC TelePresence
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide