cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
703
Views
0
Helpful
3
Replies

CUCM Certificates Expire with Non-Secure Profile

sgqjt0001
Level 1
Level 1

Hi everyone,  there is a CUCM publisher and a subscriber in our cluster, the 'Cluster Security Mode' is set to '1', 'Device Security Profile' is set to 'Non-Secure Profile' in phone configuration, there is no Authentication, and Encrypted Config. The certificates in the cluster will expire on 25 July 2022, does this affect our IP phone register and calling?

1 Accepted Solution

Accepted Solutions

The phone will continue working.

Service Impact by the Certificate Store

It is critical for the good functionality of the system to have all certificates updated across the CUCM cluster. If your certificates are expired or invalid they might significantly affect the normal functioning of the system. A list of potential issues you might have when any of the specific certificates are invalid or expired is shown here. The difference in impact might depend upon your system setup.

CallManager.pem

  • TFTP not trusted (phones do not accept signed configuration files and/or ITL files).
  • Phone services might be affected.
  • Secure Session Initiation Protocol (SIP) trunks or media resources (Conference bridges, Media Termination Point (MTP), Xcoders, and so on) does not register or work.
  • The AXL request fails.

Tomcat.pem

  • Phones are not able to access HTTPs services hosted on the CUCM node, such as Corporate Directory.
  • CUCM's web GUI issues, such as unable to access service pages from other nodes in the cluster.
  • Extension Mobility or Extension Mobility Cross Cluster issues.
  • If UCCX (Unified Contact Center Express) is integrated, due to security change from CCX 12.5 it is required to have upload CUCM Tomcat certificate (self-signed) or the Tomcat root & intermediate certificate (for CA signed) in UCCX tomcat-trust store since it effect Finesse desktop logins

CAPF.pem

  • Phones do not authenticate for Phone VPN, 802.1x, or Phone Proxy. 
  • Cannot issue LSC certificates for the phones.
  • Encrypted configuration files do not work.

IPSec.pem

  • Disaster Recovery System (DRS)/Disaster Recovery Framework (DRF) might not function properly. 
  • IPsec tunnels to Gateway (GW) to other CUCM clusters do not work.

Trust Verification Service (TVS)

The phone cannot authenticate HTTPS service. The phone cannot authenticate configuration files (this can affect nearly everything on CUCM).

phone-vpn-trust

The phone VPN does not work because the VPN's HTTPS URL cannot be authenticated.

 

 

https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/200199-CUCM-Certificate-Regeneration-Renewal-Pr.html



Response Signature


View solution in original post

3 Replies 3

The phone will continue working.

Service Impact by the Certificate Store

It is critical for the good functionality of the system to have all certificates updated across the CUCM cluster. If your certificates are expired or invalid they might significantly affect the normal functioning of the system. A list of potential issues you might have when any of the specific certificates are invalid or expired is shown here. The difference in impact might depend upon your system setup.

CallManager.pem

  • TFTP not trusted (phones do not accept signed configuration files and/or ITL files).
  • Phone services might be affected.
  • Secure Session Initiation Protocol (SIP) trunks or media resources (Conference bridges, Media Termination Point (MTP), Xcoders, and so on) does not register or work.
  • The AXL request fails.

Tomcat.pem

  • Phones are not able to access HTTPs services hosted on the CUCM node, such as Corporate Directory.
  • CUCM's web GUI issues, such as unable to access service pages from other nodes in the cluster.
  • Extension Mobility or Extension Mobility Cross Cluster issues.
  • If UCCX (Unified Contact Center Express) is integrated, due to security change from CCX 12.5 it is required to have upload CUCM Tomcat certificate (self-signed) or the Tomcat root & intermediate certificate (for CA signed) in UCCX tomcat-trust store since it effect Finesse desktop logins

CAPF.pem

  • Phones do not authenticate for Phone VPN, 802.1x, or Phone Proxy. 
  • Cannot issue LSC certificates for the phones.
  • Encrypted configuration files do not work.

IPSec.pem

  • Disaster Recovery System (DRS)/Disaster Recovery Framework (DRF) might not function properly. 
  • IPsec tunnels to Gateway (GW) to other CUCM clusters do not work.

Trust Verification Service (TVS)

The phone cannot authenticate HTTPS service. The phone cannot authenticate configuration files (this can affect nearly everything on CUCM).

phone-vpn-trust

The phone VPN does not work because the VPN's HTTPS URL cannot be authenticated.

 

 

https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/200199-CUCM-Certificate-Regeneration-Renewal-Pr.html



Response Signature


sgqjt0001
Level 1
Level 1

Hi @Nithin Eluvathingal,

Thanks for your help.

There are some phones installed with LSC, ITL, and CTL files, and some phones installed with ITL and CTL but no LSC in our environment, in this situation, can we change ‘Cluster Security Mode’ to ‘0’ (Non-secure mode)? How to change it?

Thanks.