Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
531
Views
0
Helpful
3
Replies

CUCM Certificates Expire with Non-Secure Profile

Go to solution
sgqjt0001
Level 1
Level 1

‎07-17-2022 06:08 PM

Hi everyone,  there is a CUCM publisher and a subscriber in our cluster, the 'Cluster Security Mode' is set to '1', 'Device Security Profile' is set to 'Non-Secure Profile' in phone configuration, there is no Authentication, and Encrypted Config. The certificates in the cluster will expire on 25 July 2022, does this affect our IP phone register and calling?

Labels:
Preview file
20 KB
Preview file
24 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nithin Eluvathingal
VIP
VIP

‎07-17-2022 07:24 PM

The phone will continue working.

Service Impact by the Certificate Store

It is critical for the good functionality of the system to have all certificates updated across the CUCM cluster. If your certificates are expired or invalid they might significantly affect the normal functioning of the system. A list of potential issues you might have when any of the specific certificates are invalid or expired is shown here. The difference in impact might depend upon your system setup.

CallManager.pem

  • TFTP not trusted (phones do not accept signed configuration files and/or ITL files).
  • Phone services might be affected.
  • Secure Session Initiation Protocol (SIP) trunks or media resources (Conference bridges, Media Termination Point (MTP), Xcoders, and so on) does not register or work.
  • The AXL request fails.

Tomcat.pem

  • Phones are not able to access HTTPs services hosted on the CUCM node, such as Corporate Directory.
  • CUCM's web GUI issues, such as unable to access service pages from other nodes in the cluster.
  • Extension Mobility or Extension Mobility Cross Cluster issues.
  • If UCCX (Unified Contact Center Express) is integrated, due to security change from CCX 12.5 it is required to have upload CUCM Tomcat certificate (self-signed) or the Tomcat root & intermediate certificate (for CA signed) in UCCX tomcat-trust store since it effect Finesse desktop logins

CAPF.pem

  • Phones do not authenticate for Phone VPN, 802.1x, or Phone Proxy. 
  • Cannot issue LSC certificates for the phones.
  • Encrypted configuration files do not work.

IPSec.pem

  • Disaster Recovery System (DRS)/Disaster Recovery Framework (DRF) might not function properly. 
  • IPsec tunnels to Gateway (GW) to other CUCM clusters do not work.

Trust Verification Service (TVS)

The phone cannot authenticate HTTPS service. The phone cannot authenticate configuration files (this can affect nearly everything on CUCM).

phone-vpn-trust

The phone VPN does not work because the VPN's HTTPS URL cannot be authenticated.

 

 

https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/200199-CUCM-Certificate-Regeneration-Renewal-Pr.html



Response Signature


View solution in original post

0 Helpful
3 Replies 3

Go to solution
Nithin Eluvathingal
VIP
VIP

‎07-17-2022 07:24 PM

The phone will continue working.

Service Impact by the Certificate Store

It is critical for the good functionality of the system to have all certificates updated across the CUCM cluster. If your certificates are expired or invalid they might significantly affect the normal functioning of the system. A list of potential issues you might have when any of the specific certificates are invalid or expired is shown here. The difference in impact might depend upon your system setup.

CallManager.pem

  • TFTP not trusted (phones do not accept signed configuration files and/or ITL files).
  • Phone services might be affected.
  • Secure Session Initiation Protocol (SIP) trunks or media resources (Conference bridges, Media Termination Point (MTP), Xcoders, and so on) does not register or work.
  • The AXL request fails.

Tomcat.pem

  • Phones are not able to access HTTPs services hosted on the CUCM node, such as Corporate Directory.
  • CUCM's web GUI issues, such as unable to access service pages from other nodes in the cluster.
  • Extension Mobility or Extension Mobility Cross Cluster issues.
  • If UCCX (Unified Contact Center Express) is integrated, due to security change from CCX 12.5 it is required to have upload CUCM Tomcat certificate (self-signed) or the Tomcat root & intermediate certificate (for CA signed) in UCCX tomcat-trust store since it effect Finesse desktop logins

CAPF.pem

  • Phones do not authenticate for Phone VPN, 802.1x, or Phone Proxy. 
  • Cannot issue LSC certificates for the phones.
  • Encrypted configuration files do not work.

IPSec.pem

  • Disaster Recovery System (DRS)/Disaster Recovery Framework (DRF) might not function properly. 
  • IPsec tunnels to Gateway (GW) to other CUCM clusters do not work.

Trust Verification Service (TVS)

The phone cannot authenticate HTTPS service. The phone cannot authenticate configuration files (this can affect nearly everything on CUCM).

phone-vpn-trust

The phone VPN does not work because the VPN's HTTPS URL cannot be authenticated.

 

 

https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/200199-CUCM-Certificate-Regeneration-Renewal-Pr.html



Response Signature


0 Helpful

Go to solution
sgqjt0001
Level 1
Level 1

‎07-18-2022 07:59 AM

Hi @Nithin Eluvathingal,

Thanks for your help.

There are some phones installed with LSC, ITL, and CTL files, and some phones installed with ITL and CTL but no LSC in our environment, in this situation, can we change ‘Cluster Security Mode’ to ‘0’ (Non-secure mode)? How to change it?

Thanks.

0 Helpful
Customers Also Viewed These Support Documents