Re: Merging and Importing TFTP certificates in preparation for migration.

R_Acuti · ‎12-21-2017

Hi gang,

We are upgrading from UCM 8.5 to 11.5.

As you probably know, this requires exporting and consolidating the TFTP certificates of both the new and old Call Managers. Then, you import the new, consolidated certificate back into the originating, old Call Manager. This is so that the VoIP endpoints will know to trust the new Call Manager.

The export and consolidation work fine with no errors. When I attempt to import the new, consolidated TFTP certificate back into the originating Call Manager, I get this error:

"org.bouncycastle.asn1.DERSequence cannot be cast to org.bouncycastle.asn1.ASN1OctetString"

This appears to be some sort of crypto incompatibility as described by this Cisco bug report:

https://quickview.cloudapps.cisco.com/quickview/bug/CSCuw80758

I *think* the solution is to upgrade the old, originating Call Manager to a new type of encryption standard, but I've no idea what or where to get it.

I'd appreciate any insight into this problem.

Thanks!

Jaime Valencia · ‎12-21-2017

There are some bugs around this

Error Bulk cert import from 10.5.2.13900-2, or higher, to lower versions
CSCuy43181

You can do exactly the same thing manually, just download the certificates from one cluster, and upload them to the other cluster. That's really what the export/import/consolidate does.

HTH

java

if this helps, please rate

R_Acuti · ‎12-21-2017

This place never disappoints. Thanks for the rapid response.

So, simply upload the tftp cert. from the old, originating CM to the new one? If you confirm, I'll give it a shot.

Jaime Valencia · ‎12-21-2017

That depends on what certificates you chose for the export, but yes, the idea is the same for all of them.

Export just sends them to a central repository, consolidate creates the bundle, and import gets the bundle and imports into the -trust stores. It's meant to simplify and avoid you downloading and importing individual certs, but you can still do that in case something fails.

HTH

java

if this helps, please rate

R_Acuti · ‎12-21-2017

Ok, looks like I had that backwards. I need the old CM to have the certificate from the new CM.

It's the TVS that I need to put onto the old CM.

Next question: Do I download the .PEM or the .DER format type?

R_Acuti · ‎12-21-2017

Sorry, let me rewind a bit-

I'm attempting to consolidate TFTP certificates and place that on the old CM.

I am not seeing that certificate in the list of either Call Manager, so I am unsure which certificate in the list I should migrate to the old Call Manager.

The dialogue also asks for a root certificate and I'm unsure what to put into that field.

vikas.wankhede · ‎05-30-2018

Hi R_Acuti,

You managed to resolve this issue ?

Can you please post steps you followed to resolve this ?

Thanks.

R_Acuti · ‎05-31-2018

The issue is that UCM 8.5 uses a weaker encryption method than 11.5, thus 8.5 is unable to import the merged certificate. The only solution I could find, was to place the 8.5 system in "Rollback" mode. Doing this (and resetting all endpoints) causes the endpoints to download a blank trust certificate. This allows the endpoints to accept the certificate from the 11.5 system once the DHCP pool option 150 statement has been updated.

katieraezer · ‎12-03-2018

Original CUCM is using 9.1.2 and New CUCM is using 11.5.1 - we are migrating in phases and use Extension Mobility so the Blank ITL is not an option.

First, can I export from each of the CUCMs the TFTP certs to a centralized TFTP. Then run consolidate from the New 11.5.1 CUCM and then import these to Original 9.1.2 cluster. Reset TVS on the Original. Then move a group of phones to the New CUCM without an issue? Or are you saying it will need to be done manually.

Second, do these need imported on the TFTP servers?

Thanks!

Flo.Matalis · ‎12-03-2018

Hi! I had the same scenario as yours before and I just followed below link and it worked smoothly.

https://www.uccollabing.com/2016/08/25/cucm-bulk-certificate-import-error/

Below result from my testing:
 Uploaded 11.5’s CallManager.pem certificate as CallManager-Trust and Phone-SAST-trust to the 9.1 Call Manager version.
 Restarted Cisco Trust Verification Service. Non-service affecting.
 Changed Option 150. Reset phone.
 Phone registered to 11.5 now.

katieraezer · ‎12-04-2018

Thank you, I will give this a go.

Flo.Matalis · ‎12-04-2018

Let us know how it goes. Additionally, what I did on my end was I manually changed the TFTP on 1 phone first and ensuring that it registers successfully before finally changing the Option 150 on the DHCP server.

Hope this helps.

katieraezer · ‎12-05-2018

We just tested with our DEV environment and worked like a champ. We have several TFTP servers so we downloaded the .PEM from both the TFTP servers in our "new" cluster and then loaded them as CallManager-Trust and Phone-SAST-Trust to the "original" cluster. 2 TFTP servers on new makes 2 .PEM files, then each of my original servers gets 4 trusts created. Thanks so much.

Flo.Matalis · ‎12-05-2018

Thanks for getting back and good to know that it worked fine. :) Good luck on your migration!

Please rate if it helps.