cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1161
Views
0
Helpful
4
Replies

CUCM 10.5 Mixed Mode - Renew Call Manager Cert + Telepresence Endpoints

mathew.lear
Level 1
Level 1

Hello,

 

My call manager certificate expires soon, it is signed by CA.

On this cluster I only have telepresence endpoints registered: C40,C60,MX300,MX700,MX800,SX10,SX20,SX80.

They are using secure profile with encrypted tftp.

 

Action plan so far is to - 

 

1 - Upload newly signed call manager Cert

2 - Restart Call Manager Service / TFTP

3 - Update CTL via cli

4 - Restart Call Manager Service / TFTP

 

Where I am lost is how are me telepresence endpoints going to re-register to CUCM ?

Will I have to manually delete CTL/ITL on the endpoints or will they use TVS ?

 

This doc mentions that TVS is not supported on Telepresence endpoints :

https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/118893-technote-cucm-00.html

 

Any help would be much appreciated :)

 

 

3 Accepted Solutions

Accepted Solutions

Gunnar Reiser
Level 4
Level 4

Hallo Mathew,

unfortunately it's true that TP systems still don't support TVS to check certificate validity if the certificate signing the CTL is unknown.

So if you renew the CallManager Certificate that normaly signs the CTL, the TP systems (btw Jabber behaves the same way) won't accept the new CTL because the new certificate is not trusted.

But with changing to token less CTL there was also the ITLRECOVERY certificate added to the CTL.

So directly after the CTL update on CLI (utils ctl update CTLFile) have the new CTL signed by the ITLRECOVERY certificate with "utils ctl reset localkey".

Now the CTL containing the new certificates is signed by a certificate which is trusted and you should be fine.

 

Cheers,

Gunnar

 

View solution in original post

Gunnar Reiser
Level 4
Level 4
And an additional note. Don't Restart CallManager Service before CTL renewal.
Because otherwise your endpoints will have to register to a Server where they don't have a chance of receiving a certificate for.
Also (not documented correctly) if you change the CallManager Cert you also need to restart the CTIManager as well.

View solution in original post

Hi Gunner,

 

I confirm your solution worked, thanks man :)

View solution in original post

4 Replies 4

Gunnar Reiser
Level 4
Level 4

Hallo Mathew,

unfortunately it's true that TP systems still don't support TVS to check certificate validity if the certificate signing the CTL is unknown.

So if you renew the CallManager Certificate that normaly signs the CTL, the TP systems (btw Jabber behaves the same way) won't accept the new CTL because the new certificate is not trusted.

But with changing to token less CTL there was also the ITLRECOVERY certificate added to the CTL.

So directly after the CTL update on CLI (utils ctl update CTLFile) have the new CTL signed by the ITLRECOVERY certificate with "utils ctl reset localkey".

Now the CTL containing the new certificates is signed by a certificate which is trusted and you should be fine.

 

Cheers,

Gunnar

 

Gunnar Reiser
Level 4
Level 4
And an additional note. Don't Restart CallManager Service before CTL renewal.
Because otherwise your endpoints will have to register to a Server where they don't have a chance of receiving a certificate for.
Also (not documented correctly) if you change the CallManager Cert you also need to restart the CTIManager as well.

Thanks Gunner,

 

I'll give it a try :

 

1 - Upload newly signed call manager Cert

3 - Update CTL : utils ctl update CTLFile

4 - Sign CTL with ITL Recovery : utils ctl reset localkey

4 - Restart Call Manager Service / TFTP / CTI Manager

 

Rgds,

Mathew

Hi Gunner,

 

I confirm your solution worked, thanks man :)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: