03-02-2021 03:22 PM - edited 03-02-2021 03:23 PM
Hello all!
I will be regenerating the TVS and IPSec certificates on a customer's CUCM tonight. This is being done on a Mixed-mode cluster with 1 Publisher and 2 Subscribers. TFTP is active on both Subscribers, not the Publisher. All "phones" (Telepresence endpoints) are registered to Subscriber 1.
This is what I plan on doing;
- Back up the Cluster.
- Stop the TFTP service on Subscriber 1
- Regenerate the IPSec certificate on the Publisher.
- Restart the DRF Local and DRF Master services on the Publisher.
- Regenerate the TVS certificate on the Publisher.
- Restart the TVS service on the Publisher.
- Regenerate the IPSec certificate on Subscriber 1.
- Restart the DRF Local service on Subscriber 1.
- Regenerate the TVS certificate on Subscriber 1.
- Restart the TVS service on Subscriber 1.
- Reset the phones so they get the ITL from Subscriber 2.
- When all phones have registered to Subscriber 2, start the TFTP service on Subscriber 1.
- Regenerate the IPSec certificate on Subscriber 2.
- Restart the DRF Local service on Subscriber 2.
- Regenerate the TVS certificate on Subscriber 2.
- Restart the TVS service on Subscriber 2.
- Reset the phones so they get the ITL from Subscriber 1.
- Restart the TFTP service on Subscriber 2 so it has updated certificate information.
- Back up the cluster again.
I came up with this process based on information in the Security Guide for CUCM ver 12.5(1)su2 and the CUCM Certificate Regeneration/Renewal Process, doc ID 200199. Does it look like I have the steps in the correct order?
Thanks!
Solved! Go to Solution.
03-02-2021 04:00 PM
Hi all,
So in trying to make sure I have my ducks in a row I came across document ID 214231.
The process listed in this doc seems a little different, putting the TFTP restarts at the end and then a big phone restart at the very end, after the TVS cert has been regenerated on all the servers already. Wouldn't this not give the phones a previous cert to fall back to before being updated by the TVS?
Thanks!
03-02-2021 04:00 PM
Hi all,
So in trying to make sure I have my ducks in a row I came across document ID 214231.
The process listed in this doc seems a little different, putting the TFTP restarts at the end and then a big phone restart at the very end, after the TVS cert has been regenerated on all the servers already. Wouldn't this not give the phones a previous cert to fall back to before being updated by the TVS?
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide