Re: "CallManager-trust" certificates in Unity Connection 11.

TONY SMITH · ‎05-22-2019

Hi,

I'm going through some clusters cleaning up expiring certificates. One thing that's puzzling me is that Unity Connection has "CallManager-trust" certificates, but apparently no underlying "CallManager" self-signed certificates to be regenerated. Are these originating certificates hidden somewhere?

Thanks,

Tony S

lfulgenzi · ‎07-29-2022

I am running into the same issue. Renewing about to expire certs on Unity Connection and I am seeing the same certificate loaded as a CallManager-trust type, in addition to the tomcat and tomcat-trust (auto-loaded), on my servers.

@TONY SMITH did you ever find a resolution to this?

TONY SMITH · ‎07-29-2022

I didn't get to the bottom of it. This bug suggests that the actual Callmanager certificates do indeed exist, although may only be used in some specific functions. Nothing seems to explain how you would regenerate these certificates if you can't see them. Maybe from the CLI? If I find a cluster where they're expired I'd probably raise a TAC case.

At the moment I'm treating it as cosmetic, the clusters I'm working on have those certificates and they are not expired (yet).

https://bst.cisco.com/bugsearch/bug/CSCvr91605

lfulgenzi · ‎07-29-2022

Thanks @TONY SMITH

I came across that bug as well, but I’m not sure that applies in my case.

What’s weird is that it’s the Unity connection own (public CA signed) certificate that has been loaded as a CallManager-trust type cert.

Hopefully my TAC engineer can shed light.
My certs expire soon, so I want to deal with it. I may just delete the old one and “see what breaks”.

Roger Kallberg · ‎07-29-2022

These certificates dates back to when CM and CUC shared the same installer and in most scenes used the same underlying operating system. Nowadays these two have diverged into different products. Because of this there is no Callmanager certificate, but the previous created or uploaded trust certificates are still present, but AFAIK they are not in use.

lfulgenzi · ‎07-29-2022

OK. Thanks. I guess my colleague either just assumed he needed to renew them or the TAC told him so. Come to think of it, I renewed the certs for three years before him, then he did for two years... so maybe we were on a different version 6 years ago? version 7 or 9 maybe?

Oh well..... they're gone! click. delete.

awsdabbagh · ‎11-23-2023

thanks for the info, I'm facing the same issue and just wanted to confirm if deleting these certs caused any issues for you?

noelciscoman · ‎07-05-2023

I am seeing the same while needing to regen certs in Unity, Call Manager, and IMP. The Call Manager certs in Unity have the same date on everything that I found in Unity and Call Manager that need to be regenerated. One of the CallManager certs in Unity did regenerate as part of the cert regen process for Unity that TAC provided to me. However, after reviewing the others with TAC, they said they are not needed and can be deleted as I am not using a secure connection to Call Manager from Unity. I did state that I would like to have the procedure for regenerating these certs if they are used for a secure connection to Call Manager, even if that is not a feature I am using at the moment (SIP trunk between the two systems is currently non-secure). Unity TAC was not able to provide the procedure and again advised that since I am using non-secure, I should delete the certs. Version is 11.5.1.23900-30

"CallManager-trust" certificates in Unity Connection 11.5.1.15900-18