Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
534
Views
0
Helpful
1
Replies

regeneration of TVS and IPSec certificates on Mixed-mode 12.5.1 CUCM

Go to solution
Bob Fitzgerald
Level 4
Level 4

‎03-02-2021 03:22 PM - edited ‎03-02-2021 03:23 PM

Hello all!

I will be regenerating the TVS and IPSec certificates on a customer's CUCM tonight.  This is being done on a Mixed-mode cluster with 1 Publisher and 2 Subscribers. TFTP is active on both Subscribers, not the Publisher. All "phones" (Telepresence endpoints) are registered to Subscriber 1.

This is what I plan on doing;
- Back up the Cluster.
- Stop the TFTP service on Subscriber 1
- Regenerate the IPSec certificate on the Publisher.
- Restart the DRF Local and DRF Master services on the Publisher.
- Regenerate the TVS certificate on the Publisher.
- Restart the TVS service on the Publisher.
- Regenerate the IPSec certificate on Subscriber 1.
- Restart the DRF Local service on Subscriber 1.
- Regenerate the TVS certificate on Subscriber 1.
- Restart the TVS service on Subscriber 1.
- Reset the phones so they get the ITL from Subscriber 2.
- When all phones have registered to Subscriber 2, start the TFTP service on Subscriber 1.
- Regenerate the IPSec certificate on Subscriber 2.
- Restart the DRF Local service on Subscriber 2.
- Regenerate the TVS certificate on Subscriber 2.
- Restart the TVS service on Subscriber 2.
- Reset the phones so they get the ITL from Subscriber 1.

- Restart the TFTP service on Subscriber 2 so it has updated certificate information.
- Back up the cluster again.

I came up with this process based on information in the Security Guide for CUCM ver 12.5(1)su2 and the CUCM Certificate Regeneration/Renewal Process, doc ID 200199. Does it look like I have the steps in the correct order?

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Bob Fitzgerald
Level 4
Level 4

‎03-02-2021 04:00 PM

Hi all,

 

So in trying to make sure I have my ducks in a row I came across document ID 214231.

https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/214231-certificate-regeneration-process-for-cis.html#anc23

 

The process listed in this doc seems a little different, putting the TFTP restarts at the end and then a big phone restart at the very end, after the TVS cert has been regenerated on all the servers already. Wouldn't this not give the phones a previous cert to fall back to before being updated by the TVS?

 

Thanks!

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Bob Fitzgerald
Level 4
Level 4

‎03-02-2021 04:00 PM

Hi all,

 

So in trying to make sure I have my ducks in a row I came across document ID 214231.

https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/214231-certificate-regeneration-process-for-cis.html#anc23

 

The process listed in this doc seems a little different, putting the TFTP restarts at the end and then a big phone restart at the very end, after the TVS cert has been regenerated on all the servers already. Wouldn't this not give the phones a previous cert to fall back to before being updated by the TVS?

 

Thanks!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents