Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7073
Views
20
Helpful
3
Replies

Deleting multiple expired trust certs at the same time

Go to solution
Bob Fitzgerald
Level 4
Level 4

‎03-01-2021 04:42 PM

Hello all!

I'm trying to figure out if this is advisable.  I have come across a situation where a mixed-mode 12.5.1 SU2 CUCM cluster has had multiple trust certificates expire either at the same time or within a short span of time.  The expired certificates are all CallManager-trust and CAPF-trust certs.  In trying to ensure that I don't cause an unexpected problem I have been deleting them one at a time and restarting services with each deletion.  This understandably takes a bit of time to work through the list.  So, I am wondering if there was anything that could go wrong if I were to delete all of the same type of expired trust certs in one go, and restart the services afterward.  Unless I am missing something, the expired trust certs shouldn't be actively affecting anything in a cert chain.  I guess my worry is will I cause cause something to break badly by removing too many expired trust certs at the same time.

Thanks!

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nithin Eluvathingal
VIP
VIP

‎03-01-2021 06:07 PM

Delete Expired Trust Certificates

Note: Identify the trust certificates that need to be deleted, no longer required, or have expired.  Do not delete the five base certificates which include the CallManager.pem, tomcat.pem, ipsec.pem, CAPF.pem and TVS.pem. Trust certificates can be deleted when appropriate.  The service restarts below are designed to clear any in memory information of legacy certificates within those services.

  1. Navigate to Cisco Unified Serviceability > Tools > Control Center - Network Services
    • From the drop down select the CUCM Publisher
    • Select Stop Certificate Change Notification
    • Repeat for every Call Manager node in your cluster
    • If you have an IMP Server
      • From the drop down menu select your IMP servers one at a time and Select Stop Platform Administration Web Services and Cisco Intercluster Sync Agent
  2. Navigate to Cisco Unified OS Administration > Security > Certificate Management > Find
    • Find the expired trust certificates. (For versions 10.X and higher you can filter by Expiration. Fr versions below 10.0 you will need to identify the specific certificates manually or via the RTMT alerts if received)
    • The same trust certificate can appear in multiple nodes. It must be deleted individually from each node.
    • Select the trust certificate to be deleted (dependent on your version you will either get a pop-up or you will be navigated to the certificate on same page)
      • Select Delete (you will get a pop-up that begins with you are about to permanently delete this certificate...)
      • Select OK
  3. Repeat the process for every trust certificate to be deleted
  4. Upon Completion, services will need to be restarted that are directly related to the certificates deleted. You do not need to reboot phones in this section.  Call Manager and CAPF will be endpoint impacting.
    • Tomcat-trust: restart Tomcat Service via command line (See Tomcat Section)
    • CAPF-trust: restart Cisco Certificate Authority Proxy Function (see CAPF Section) Do not reboot endpoints
    • CallManager-trust: CallManager Service/CTIManager (See CallManager Section) Do not reboot endpoints
      • Impacts endpoints and causes restarts
    • IPSEC-trust: DRF Master/DRF Local (See IPSEC Section)
    • TVS (Self-Signed) does not have trust certificates
  5. Restart Services Previously Stopped in step 1

https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/214231-certificate-regeneration-process-for-cis.html



Response Signature


View solution in original post

3 Replies 3

Go to solution
Nithin Eluvathingal
VIP
VIP

‎03-01-2021 06:07 PM

Delete Expired Trust Certificates

Note: Identify the trust certificates that need to be deleted, no longer required, or have expired.  Do not delete the five base certificates which include the CallManager.pem, tomcat.pem, ipsec.pem, CAPF.pem and TVS.pem. Trust certificates can be deleted when appropriate.  The service restarts below are designed to clear any in memory information of legacy certificates within those services.

  1. Navigate to Cisco Unified Serviceability > Tools > Control Center - Network Services
    • From the drop down select the CUCM Publisher
    • Select Stop Certificate Change Notification
    • Repeat for every Call Manager node in your cluster
    • If you have an IMP Server
      • From the drop down menu select your IMP servers one at a time and Select Stop Platform Administration Web Services and Cisco Intercluster Sync Agent
  2. Navigate to Cisco Unified OS Administration > Security > Certificate Management > Find
    • Find the expired trust certificates. (For versions 10.X and higher you can filter by Expiration. Fr versions below 10.0 you will need to identify the specific certificates manually or via the RTMT alerts if received)
    • The same trust certificate can appear in multiple nodes. It must be deleted individually from each node.
    • Select the trust certificate to be deleted (dependent on your version you will either get a pop-up or you will be navigated to the certificate on same page)
      • Select Delete (you will get a pop-up that begins with you are about to permanently delete this certificate...)
      • Select OK
  3. Repeat the process for every trust certificate to be deleted
  4. Upon Completion, services will need to be restarted that are directly related to the certificates deleted. You do not need to reboot phones in this section.  Call Manager and CAPF will be endpoint impacting.
    • Tomcat-trust: restart Tomcat Service via command line (See Tomcat Section)
    • CAPF-trust: restart Cisco Certificate Authority Proxy Function (see CAPF Section) Do not reboot endpoints
    • CallManager-trust: CallManager Service/CTIManager (See CallManager Section) Do not reboot endpoints
      • Impacts endpoints and causes restarts
    • IPSEC-trust: DRF Master/DRF Local (See IPSEC Section)
    • TVS (Self-Signed) does not have trust certificates
  5. Restart Services Previously Stopped in step 1

https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/214231-certificate-regeneration-process-for-cis.html



Response Signature


Go to solution
Bob Fitzgerald
Level 4
Level 4
In response to Nithin Eluvathingal

‎03-02-2021 03:12 PM

Thank you Nithin!  I must have looked at those instructions 20 times.  Step 3 just didn't register as a "repeat as necessary" step.

0 Helpful

Go to solution
SteveH1
Level 1
Level 1
In response to Nithin Eluvathingal

‎02-24-2023 08:42 AM

Hi there , good procedure, thankyou.  We have a situation where we have a lot of old , out of use tomcat-trust certificates that have never been deleted.  One of these is set to expire soon and I want to delete it.  If the old tomcat-trust certificate  being deleted is not in use and is not being replaced - do we have to restart tomcat service after the deletion please ?  It is very hard for us to get maintenance window as we have 24 x  7 call center. 

0 Helpful
Customers Also Viewed These Support Documents