Hi Matteo,

m.goretti · ‎03-08-2016

My customer has a CUCM Cluster (Pub+Sub) vers. 10.5.1 in Mixed mode. He doesn't use LSC because Phones are unable to download it. So he use MIC for Call Encryption.
We discovered that CAPF and Call Manager certificate on both servers are expired.
He wants regenerate (for use LCS method) and upgrade to 10.5.2
I know it is a critical procedure for entire cluster and Phones registration.
I think to do these steps:
Regenate Call Manager.pem on PUB
Restart TFTP & Call Manager Service on PUB
Regenerate Call Manager.pem on SUB
Restart TFTP & Call Managre Service on Sub
Regenerate CAPF.pem on Pub
Regenerate CAPF.pem on Sub
Restart CAPF service on PUB?
Re-run CTL Client?

After upgrade I must to re-run CTL Client?

any suggestion is appreciated

Thx
Matteo

Manish Gogna · ‎03-09-2016

Hi Matteo,

If you run a CUCM cluster in Mixed-Mode, this means that the CTL file needs to be updated after all certificate changes. The procedure on how to do this is within Cisco's Security Guide Documentation. However, be sure that you have at least one eToken from the original initiation of Mixed-Mode feature and the eToken password is known.

Note: An update of the CTL does not happen automatically (as it does in case of the ITL file). It needs to be completed manually by the administrator with either the CTL Client or the CLI command.

More details about certificate regeneration procedure are available here

http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/200199-CUCM-Certificate-Regeneration-Renewal-Pr.html#anc7

Manish

m.goretti · ‎03-10-2016

Hi Manish,

so I can re-run CTL client after I regenerated all certificates on both servers or after each regeneration?

Matteo

CUCM mixed mode regenerate certificate and upgrade