03-08-2016 05:24 AM - edited 03-19-2019 10:50 AM
My customer has a CUCM Cluster (Pub+Sub) vers. 10.5.1 in Mixed mode. He doesn't use LSC because Phones are unable to download it. So he use MIC for Call Encryption.
We discovered that CAPF and Call Manager certificate on both servers are expired.
He wants regenerate (for use LCS method) and upgrade to 10.5.2
I know it is a critical procedure for entire cluster and Phones registration.
I think to do these steps:
Regenate Call Manager.pem on PUB
Restart TFTP & Call Manager Service on PUB
Regenerate Call Manager.pem on SUB
Restart TFTP & Call Managre Service on Sub
Regenerate CAPF.pem on Pub
Regenerate CAPF.pem on Sub
Restart CAPF service on PUB?
Re-run CTL Client?
After upgrade I must to re-run CTL Client?
any suggestion is appreciated
Thx
Matteo
03-09-2016 03:29 AM
Hi Matteo,
If you run a CUCM cluster in Mixed-Mode, this means that the CTL file needs to be updated after all certificate changes. The procedure on how to do this is within Cisco's Security Guide Documentation. However, be sure that you have at least one eToken from the original initiation of Mixed-Mode feature and the eToken password is known.
Note: An update of the CTL does not happen automatically (as it does in case of the ITL file). It needs to be completed manually by the administrator with either the CTL Client or the CLI command.
More details about certificate regeneration procedure are available here
http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/200199-CUCM-Certificate-Regeneration-Renewal-Pr.html#anc7
Manish
03-10-2016 06:45 AM
Hi Manish,
so I can re-run CTL client after I regenerated all certificates on both servers or after each regeneration?
Matteo
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide