10-25-2018 04:56 AM
Hello,
My call manager certificate expires soon, it is signed by CA.
On this cluster I only have telepresence endpoints registered: C40,C60,MX300,MX700,MX800,SX10,SX20,SX80.
They are using secure profile with encrypted tftp.
Action plan so far is to -
1 - Upload newly signed call manager Cert
2 - Restart Call Manager Service / TFTP
3 - Update CTL via cli
4 - Restart Call Manager Service / TFTP
Where I am lost is how are me telepresence endpoints going to re-register to CUCM ?
Will I have to manually delete CTL/ITL on the endpoints or will they use TVS ?
This doc mentions that TVS is not supported on Telepresence endpoints :
Any help would be much appreciated :)
Solved! Go to Solution.
10-25-2018 05:38 AM
Hallo Mathew,
unfortunately it's true that TP systems still don't support TVS to check certificate validity if the certificate signing the CTL is unknown.
So if you renew the CallManager Certificate that normaly signs the CTL, the TP systems (btw Jabber behaves the same way) won't accept the new CTL because the new certificate is not trusted.
But with changing to token less CTL there was also the ITLRECOVERY certificate added to the CTL.
So directly after the CTL update on CLI (utils ctl update CTLFile) have the new CTL signed by the ITLRECOVERY certificate with "utils ctl reset localkey".
Now the CTL containing the new certificates is signed by a certificate which is trusted and you should be fine.
Cheers,
Gunnar
10-25-2018 05:47 AM
11-09-2018 02:25 AM
10-25-2018 05:38 AM
Hallo Mathew,
unfortunately it's true that TP systems still don't support TVS to check certificate validity if the certificate signing the CTL is unknown.
So if you renew the CallManager Certificate that normaly signs the CTL, the TP systems (btw Jabber behaves the same way) won't accept the new CTL because the new certificate is not trusted.
But with changing to token less CTL there was also the ITLRECOVERY certificate added to the CTL.
So directly after the CTL update on CLI (utils ctl update CTLFile) have the new CTL signed by the ITLRECOVERY certificate with "utils ctl reset localkey".
Now the CTL containing the new certificates is signed by a certificate which is trusted and you should be fine.
Cheers,
Gunnar
10-25-2018 05:47 AM
10-25-2018 06:09 AM
Thanks Gunner,
I'll give it a try :
1 - Upload newly signed call manager Cert
3 - Update CTL : utils ctl update CTLFile
4 - Sign CTL with ITL Recovery : utils ctl reset localkey
4 - Restart Call Manager Service / TFTP / CTI Manager
Rgds,
Mathew
11-09-2018 02:25 AM
Hi Gunner,
I confirm your solution worked, thanks man :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide