Certicate and CM upgrade

Unanswered Question
Jun 3rd, 2008

We have a customer who has single CM cluster but they want to break in to two separate CCM clusters because of WAN and geographical issues.

When I install the new CCM cluster we are going to use the same phones they have currently using but my problem is right now they are using certificates (CAPF/CTL) to register the phones securely. I have a new set of USB keys with certificates to install on the new cluster if I install that all the phones won't register to new cluster.

Is there any easy way of doing this so I don't have to go to each phone and do a factory reset manually to get the new certificate.

Thanks for your help.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Michael Owuor Wed, 06/04/2008 - 05:37


A suggestion that may work for this is to use BAT to remove the CAPF certificates from the phones that will be migrated to the new cluster.

Hope this helps.



balukr Wed, 06/04/2008 - 06:15


Thanks for your response.Existing CM is 4.1.3 I don't remember seeing that CAPF option in BAT tool.Please can you guide me how to do that.

Thanks again.

Michael Owuor Wed, 06/04/2008 - 06:37

Hi Balukr,

Once you log into BAT, select Configure -> Phones -> CAPF Configuration -> Click Next -> Add Phones to Query -> Next -> Certificate Operation = Delete.

Hope this helps.



balukr Wed, 06/04/2008 - 06:48

I don't know how I missed that ,Thanks.

Just one more question if I delete the certificates then that phone should not look for any certificate and it should register like a regular phone correct.When I move the phones to new cluster after this it should get the new certificates and register with new CAPF correct.

many thanks again..

Michael Owuor Wed, 06/04/2008 - 07:05

Yes Balukr. Thats correct. Assuming your cluster is currently in Mixed mode, registrations of both secure and non-secure devices is allowed, so they should function in non-secure mode until you are ready to migrate them to the new cluster.

Do perform some testing with one or two phones to prove the concept before migration day.



balukr Tue, 07/08/2008 - 19:46

Even if you delete the certificate it still stays with the phone it only removes from secured connection to CUCM, to remove the cert permanently you have to delete it manually from the phone.

Is there any other workaround or any app's we can run so we don't have to go to each phone to delete the certificate.

Keith Fulcher Thu, 07/24/2008 - 06:25

I am having the same problem.....

but I have another question, that kinda applies. The CAPF Server is only on the Publisher (1st Node). What happens if that server dies and you have to reinstall on new hardware. Are the certificates stored also on the subscriber? What happens when that new Publisher is brought online and the new CAPF can't handle the certificates on the phone? How would you get the phones out of rejected status?

balukr Thu, 07/24/2008 - 07:44

As long as if you use the same IP, hostname for PUB and use the same e-tokens it should work fine.

DWAM_2 Wed, 07/30/2008 - 04:18


have you found another workaround to delete the certificate on each phone ?

Best regards.

Keith Fulcher Tue, 10/14/2008 - 01:20


I am also interested in this topic:

Has anyone found another workaround to delete the certificate on each phone?


This Discussion