cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1910
Views
15
Helpful
7
Replies

"CallManager-trust" certificates in Unity Connection 11.5.1.15900-18

TONY SMITH
Spotlight
Spotlight

Hi,

I'm going through some clusters cleaning up expiring certificates.  One thing that's puzzling me is that Unity Connection has "CallManager-trust" certificates, but apparently no underlying "CallManager" self-signed certificates to be regenerated.   Are these originating certificates hidden somewhere?

Thanks,

Tony S

7 Replies 7

lfulgenzi
Level 7
Level 7

I am running into the same issue. Renewing about to expire certs on Unity Connection and I am seeing the same certificate loaded as a CallManager-trust type, in addition to the tomcat and tomcat-trust (auto-loaded), on my servers.

@TONY SMITH did you ever find a resolution to this?


TONY SMITH
Spotlight
Spotlight

I didn't get to the bottom of it.  This bug suggests that the actual Callmanager certificates do indeed exist, although may only be used in some specific functions.  Nothing seems to explain how you would regenerate these certificates if you can't see them.  Maybe from the CLI?  If I find a cluster where they're expired I'd probably raise a TAC case.

At the moment I'm treating it as cosmetic, the clusters I'm working on have those certificates and they are not expired (yet).

https://bst.cisco.com/bugsearch/bug/CSCvr91605

lfulgenzi
Level 7
Level 7

Thanks @TONY SMITH 

I came across that bug as well, but I’m not sure that applies in my case.  

What’s weird is that it’s the Unity connection own  (public CA signed) certificate that has been loaded as a CallManager-trust type cert.

Hopefully my TAC engineer can shed light.  
My certs expire soon, so I want to deal with it.  I may just delete the old one and “see what breaks”.  

These certificates dates back to when CM and CUC shared the same installer and in most scenes used the same underlying operating system. Nowadays these two have diverged into different products. Because of this there is no Callmanager certificate, but the previous created or uploaded trust certificates are still present, but AFAIK they are not in use.



Response Signature


lfulgenzi
Level 7
Level 7

OK. Thanks. I guess my colleague either just assumed he needed to renew them or the TAC told him so. Come to think of it, I renewed the certs for three years before him,  then he did for two years... so maybe we were on a different version 6 years ago? version 7 or 9 maybe? 

Oh well..... they're gone! click. delete.

thanks for the info, I'm facing the same issue and just wanted to confirm if deleting these certs caused any issues for you?

noelciscoman
Level 1
Level 1

I am seeing the same while needing to regen certs in Unity, Call Manager, and IMP.  The Call Manager certs in Unity have the same date on everything that I found in Unity and Call Manager that need to be regenerated.  One of the CallManager certs in Unity did regenerate as part of the cert regen process for Unity that TAC provided to me.  However, after reviewing the others with TAC, they said they are not needed and can be deleted as I am not using a secure connection to Call Manager from Unity.  I did state that I would like to have the procedure for regenerating these certs if they are used for a secure connection to Call Manager, even if that is not a feature I am using at the moment (SIP trunk between the two systems is currently non-secure).   Unity TAC was not able to provide the procedure and again advised that since I am using non-secure, I should delete the certs. Version is 11.5.1.23900-30

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: