Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
979
Views
5
Helpful
1
Replies

CUCM 9.1.2 - Callmanager and TVS certificate expired

Go to solution
nexth0pself
Level 1
Level 1

‎02-23-2019 06:38 PM - edited ‎03-19-2019 01:42 PM

Hi All,
 
We currently planning to migrate phone from CUCM cluster 9.1.2 to CUCM cluster 10.5.2 and we will do the migration per-site.
 
Current condition we found on CUCM 9.1.2 that callmanager.pem expired since 1998 and TVS.pem expired since 1999. So when we are trying to use certificate consolidation, we try to export and import those certificate from CUCM 9.1.2 and CUCM 10.5.2 vice versa we got error since those certificate is expired.
 
Now we enabled pre-8.0 rollback to have Blank ITL installed on the phone. Now since IP Phone have Blank ITL they cannot access corporate directory (host not found). 
 
My question is whether it possible if we regenerate callmanager.pem and TVS.pem while pre-8.0 rollback is enabled. Then after that disable pre-8.0 so the phone will have new callmanager.pem and new TVS.pem. 
 
Really appreciate if there is any suggestion or advice from you all
Best Regards,

Nanda Nurhadyan
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jonathan Schulenberg
Hall of Fame
Hall of Fame

‎02-24-2019 06:52 AM

Before you do anything I suggest reading up on how ITL works: https://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-callmanager/116232-technote-sbd-00.html

 

Once a phone has gotten - and accepted - the updated ITL with zero entries it will blindly trust the next ITL it receives, even if there is no trust continuity. You could just change DHCP Option 150 and reset the phone from the 9.1 cluster to move it over at this point.

 

If you need to restore HTTPS phone services (eg Corporate Directory and Extension Mobility) on the 9.1 cluster, yes you could regenerate the CallManager and TVS certificates but only because you have used the rollback Parameter. Normally you would need to be careful to do this one node at a time to avoid breaking trust continuity of the ITL.

 

PS-

1. Those dates would suggest NTP was not working when the certs were last generated. Make sure that’s fixed before regenerating them.

2. When certificates are not expired, the Phone-SAST-Trust store is the correct approach to moving phones between clusters. People overuse the rollback parameter IMO.

View solution in original post

1 Reply 1

Go to solution
Jonathan Schulenberg
Hall of Fame
Hall of Fame

‎02-24-2019 06:52 AM

Before you do anything I suggest reading up on how ITL works: https://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-callmanager/116232-technote-sbd-00.html

 

Once a phone has gotten - and accepted - the updated ITL with zero entries it will blindly trust the next ITL it receives, even if there is no trust continuity. You could just change DHCP Option 150 and reset the phone from the 9.1 cluster to move it over at this point.

 

If you need to restore HTTPS phone services (eg Corporate Directory and Extension Mobility) on the 9.1 cluster, yes you could regenerate the CallManager and TVS certificates but only because you have used the rollback Parameter. Normally you would need to be careful to do this one node at a time to avoid breaking trust continuity of the ITL.

 

PS-

1. Those dates would suggest NTP was not working when the certs were last generated. Make sure that’s fixed before regenerating them.

2. When certificates are not expired, the Phone-SAST-Trust store is the correct approach to moving phones between clusters. People overuse the rollback parameter IMO.

Customers Also Viewed These Support Documents