Solved: Direct Routing certificate renewal

alex1988 · ‎03-19-2024

Hi all,

We had implemented Teams direct routing setup with a pair of CUBEs in High Availability mode (about a year ago) and the certificate (sbc.mydomain.com) is about to expire. I would like some help on the steps required to renew the certificate, because I have only seen guides for either new implementations or for standalone CUBEs.

Thank you!

Shalid Kurunnan Chalil · ‎03-19-2024

Hi there,

You can either generate a CSR using OpenSSL with both CUBE FQDNs included in its SAN entries and import both the private key and signed certificates into the CUBE HA pairs, or you can individually generate CSR for each CUBE and import the signed certificates on their respective CUBEs.

Regards,

Shalid

Disclaimer:

Responses are based on personal knowledge and experience. Consider them as guidance. Other members may offer different perspectives or better approaches. No responsibility is assumed for outcomes; discretion is advised.

View solution in original post

Roger Kallberg · ‎03-19-2024

From what I know the process is the same as for a new certificate. These are the steps you’d typically do for any certificate creation or renewal.

Create a CSR
Send CSR to CA to create a signed certificate
Verify if you need to upload or update the CA certificate(s), root and if applicable any intermediate
Upload the signed certificate that you received from the CA

alex1988 · ‎03-19-2024

Thank you Roger for your reply. Since the CUBEs are in HA mode and each one has a different hostname (sbc1.mydomain.com and sbc2.mydomain.com), from which one should I create the CSR, having in mind that the certificate will be sbc.mydomain.com?

Shalid Kurunnan Chalil · ‎03-19-2024

Hi there,

You can either generate a CSR using OpenSSL with both CUBE FQDNs included in its SAN entries and import both the private key and signed certificates into the CUBE HA pairs, or you can individually generate CSR for each CUBE and import the signed certificates on their respective CUBEs.

Regards,

Shalid

Disclaimer:

Responses are based on personal knowledge and experience. Consider them as guidance. Other members may offer different perspectives or better approaches. No responsibility is assumed for outcomes; discretion is advised.

alex1988 · ‎03-19-2024

Hi Shalid,

If I use the first method, I will import the pfx file to both CUBEs and then do I have to delete the current crypto pki trustpoint and create a new one?

Shalid Kurunnan Chalil · ‎03-19-2024

No, you typically don't need to delete the current crypto pki trustpoint and create a new one.

You can often update the existing trustpoint with the new certificate.

Regards,

Shalid

Disclaimer:

Responses are based on personal knowledge and experience. Consider them as guidance. Other members may offer different perspectives or better approaches. No responsibility is assumed for outcomes; discretion is advised.

alex1988 · ‎03-19-2024

I will try it and come back with the results. Thank you for your help!

alex1988 · ‎03-20-2024

So, it worked like that: I imported the pfx (including the certificate chain) but I had to create a new trustpoint (I guess it would have worked if I deleted the former and re-created it).

Finally, under sip-ua (if you create a new trustpoint) you have to change the crypto signaling default trustpoint command with the newly created trustpoint and it will work. Thank you both for your help!

Shalid Kurunnan Chalil · ‎03-20-2024

Thanks @alex1988 for the update.

Roger Kallberg · ‎03-19-2024

The same as when you originally created the current certificate. My experience with certificates is primarily with different CVOS systems and how it’s handled in them. In those you would create a multi SAN certificate for what you ask for. How or if it’s possible in IOS I don’t know, but likely there are documentation for this.