Re: CUCM - CAPF Certificate Question

Quintin.Mayo · ‎01-05-2023

Hi,

We have a CUCM cluster with two nodes Publisher and Subscriber, each have CAP-RTP-001 (CallManager-trust) and CAPF-317672FA (CAPF-trust) certificates which will be expiring soon. From my understanding these are system installed certificates. Since we aren't using the Cisco Certificate Authority Proxy Function service its deactivated, can these certificates be deleted? Any direction would be greatly appreciated.

Thanks,

b.winter · ‎01-05-2023

CAP-RTP-001 is a pre-installed cert and is not associated to a CUCM-service itself. Normally, this (and others) gets updated when you do CUCM-updates and therefore shouldn't expire (unless you didn't do CUCM-updates for years).

CAPF-317672FA is a certificate for the CUCM-CAPF service. So if this is going to expire, then check the node which has this certificate and regenerate it. (CAPF instead of CAPF-trust).
If you don't find a node with this certificate for the CAPF service, then it is an old one and can be deleted anyway.

If your cluster is not in mixed-mode, you can delete the CAP-RTP-001 cert and let the CAPF-... cert expire.
But it's never a good practice to let a CUCM service certificate expired. Just renew it and finishd.

More here: https://community.cisco.com/t5/ip-telephony-and-phones/cucm-security-mic-certificates/td-p/3226282 and as Jaime mentioned there, the topic about certificates has been discussed many many times, so you should find more info if you search the forum.

Roger Kallberg · ‎01-05-2023

If any of these are the actual CAPF certificate that the CM system has I would recommend you to renew these. To do so please see this document Cisco UC Certificates Renewal Guide

cmite · ‎01-31-2023

Hi Roger.. I don't see the cap-rtp certs mentioned in your very detailed and well-done document. According to Cisco, these are manufacturing certs but what to do if they expire? As soon as I get access to the system, I'll check if they can be regenerated.

The Manufacturing -trust certificates are pre-loaded to any CUCM during installation and those are used for CUCM to trust in any Cisco IP phone by default. It is not recommended to remove these certificates:

CAP-RTP-001
CAP-RTP-002
Cisco Root CA 2048
Cisco Root CA M2
ACT2_SUDI_CA
Cisco_Manufacturing_CA
Cisco_Manufacturing_CA_SHA2

KevinS1 · ‎01-12-2023

None of those are capf certs. they are MIC certs and Cisco TAC cant explain what happens if they expire and we do not have LSC installed. They also know nothing about the certs being replace via version upgrades. Time is ticking and TAC is not helpful.

cmite · ‎01-31-2023

Hi KevinS1.. any update from TAC or anyone else about the CAP-RTP-001 certs? Thanks

cmite · ‎01-31-2023

CAP-RTP-001 is the common name for two certs CallManager-trust and CAPF-trust which may be copies of service certs. If the service certs were regenerated there should be nothing to worry about. Correct?

Sorry. Been away from Call Manager a few years and now getting back into it.

KevinS1 · ‎01-31-2023

HI, I have removed the two CAP-RTP-001 & 002 certs from both the trust stores in two differnt CUCM clusters. one cluster was not in mixed mode and the other cluster was in mixed mode yet not using LSC or the secure profiles in the phones ( just mixed mode enabled without secure phones).

the impact was nothing. I did restart the recommended services and I also rebooted the full cluster as it had not been rebooted in a very long time.

TAC could not provide any documents to talk about the two MIC certs and how they would or would not impact the cluster however two different TAC cases both gave me the same recommendation to delete the certs as i was not using secure profiles on the phones. If I was using secure profiles on the phones then I needed to push/install the LSC as standard practice for the phones to register in a secure cluster with secure profiles... yet on those clusters I did not need the secure profiles or LSCs.

I hope that helps anyone else looking for more details. Just delete it and cross your figures then restart the services....

vpersaud2 · ‎01-31-2023

Thank you!