03-01-2021 04:42 PM
Hello all!
I'm trying to figure out if this is advisable. I have come across a situation where a mixed-mode 12.5.1 SU2 CUCM cluster has had multiple trust certificates expire either at the same time or within a short span of time. The expired certificates are all CallManager-trust and CAPF-trust certs. In trying to ensure that I don't cause an unexpected problem I have been deleting them one at a time and restarting services with each deletion. This understandably takes a bit of time to work through the list. So, I am wondering if there was anything that could go wrong if I were to delete all of the same type of expired trust certs in one go, and restart the services afterward. Unless I am missing something, the expired trust certs shouldn't be actively affecting anything in a cert chain. I guess my worry is will I cause cause something to break badly by removing too many expired trust certs at the same time.
Thanks!
Solved! Go to Solution.
03-01-2021 06:07 PM
Note: Identify the trust certificates that need to be deleted, no longer required, or have expired. Do not delete the five base certificates which include the CallManager.pem, tomcat.pem, ipsec.pem, CAPF.pem and TVS.pem. Trust certificates can be deleted when appropriate. The service restarts below are designed to clear any in memory information of legacy certificates within those services.
03-01-2021 06:07 PM
Note: Identify the trust certificates that need to be deleted, no longer required, or have expired. Do not delete the five base certificates which include the CallManager.pem, tomcat.pem, ipsec.pem, CAPF.pem and TVS.pem. Trust certificates can be deleted when appropriate. The service restarts below are designed to clear any in memory information of legacy certificates within those services.
03-02-2021 03:12 PM
Thank you Nithin! I must have looked at those instructions 20 times. Step 3 just didn't register as a "repeat as necessary" step.
02-24-2023 08:42 AM
Hi there , good procedure, thankyou. We have a situation where we have a lot of old , out of use tomcat-trust certificates that have never been deleted. One of these is set to expire soon and I want to delete it. If the old tomcat-trust certificate being deleted is not in use and is not being replaced - do we have to restart tomcat service after the deletion please ? It is very hard for us to get maintenance window as we have 24 x 7 call center.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide