Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
828
Views
0
Helpful
1
Replies

Unity Connection - Certificate from cucm no more trusted for encrypted calls after upgrade to 10.5(1)

r.rung
Level 1
Level 1

‎07-31-2014 10:49 AM - edited ‎03-19-2019 08:27 AM

Hello Support Community,

 

i have a strange problem:

after upgrading my cucm and unity connection from 9.1 to 10.5(1) enctrypted calls are no more working.

situation 1: CUCM is down, Subscriber is up: Encrypted call to Unity Connection work correctly

 

situation 2: CUCM is up: Encrypted Calls to Unity Connection not working.

 

i get the following Info in the log for the Connection Conversion Manager:

19:35:21.053 |15865,,,MiuGeneral,25,Invalid Certificate: Received Certificate -----BEGIN CERTIFICATE-----
MIID8zCCAtugAwIBAgIQc/fBdUz1Zdh4CXhcPqGVuDANBgkqhkiG9w0BAQsFADBw
MQswCQYDVQQGEwJERTELMAkGA1UEChMCSVQxGzAZBgNVBAsTEkhlbGxnYXRlIFRl

....

XD0oD9d5MQ==
-----END CERTIFICATE-----
 doesn't match with stored Certificate: -----BEGIN CERTIFICATE-----
MIIC2DCCAkGgAwIBAgIIJWCm4bSdt+kwDQYJKoZIhvcNAQEFBQAw

...

-----END CERTIFICATE-----

 

so where does Unity Connection cache this certificate and how can i delete/replace it?

 

the cert shown in the logs is the one from cucm: ("CallManager"), i recreated it through cucm os administration, now i see the same error message on unity connection for the new recreated certificate.

 

 

 

 

1 person had this problem
Labels:
0 Helpful
1 Reply 1

bradley.mcrae
Level 1
Level 1

‎04-03-2017 08:29 AM

I'm not a fan of replying to necro-posts, but I've encountered this problem a few times and it caused me a lot of grief figuring out how to fix it.

In the hopes of saving someone else some grief:

This document shows the process of what happens when secure certs are set up between CUC and CUCM.

http://www.cisco.com/c/en/us/support/docs/unified-communications/unity-connection/200504-Configure-and-Troubleshoot-Secure-Integr.html

If you decode the certificates in the MIU SIP Microtraces you can see the certs being compared.

If you look on CUCM in the regular places to find where the certificate originates from, you probably won't see it as it comes from the CUCM CTL.

If you issue a show CTL from the CUCM Publisher you may see the certificate that is listed in the MIU microtrace. 

The CTL is retrieved by CUC from CUCM.  During the certificate exchange for the SIP Trunk between CUC and CUCM if there is a difference in CUCM certificates the above error results. 

If the CUCM certifcates have been regenerated and the cluster is in mixed mode then updating the CTL file on CUCM will update the CTL with the latest certificates.

I had to reboot Unity in order to force it to reload the CTL which resulted in the correct certs being compared and ultimately the TLS SIP trunk coming online. 

Brad. 

0 Helpful
Customers Also Viewed These Support Documents