Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Certificate Expiration Notification CallManager 5.1 RTMT Expiry Monitor

Unanswered Question
Mar 29th, 2012
User Badges:


I'm looking for some advice and information.  We are getting notification from RTMT that some certificates are about to expire on our publisher server.  These are tomcat_cert (own), ipsec_cert (own), CalManagerUnit (own), CAPF (own), and CAPF-XXXXXX (trust).  As these are self-generated certificates, will they regenerate automatically upon expiration or do we need to take some action?

Thank you!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
ronpatel Thu, 03/29/2012 - 21:40
User Badges:
  • Blue, 1500 points or more


There is 2 types of certificates, one type is called certificate trust. If the expiring cert is a TRUST (i.e. "CAPF-trust", "CallManager-trust"), you can just click on it, verify that the valid date/time range is expired, and delete it.

The other type is called certificate. If it is certificate type = "certs", then click on the file, and there should be a 'regenerate'option. This will regenerate the certificate and also recreates the new

"CAPF-trust" or "CallManager-trust" certificates with new date/timeranges.

If you are using a Certificate Authority(some people use CA to sign the Tomcat certificate), instead of regenerating the certificates you'll need to click on the certificate, download the CSR, get it signed by your CA and then upload it to CUCM.

So as long as the expired Tomcat certificate is not CA signed certificate, it will be safe to regenerate them.

The impact of the delete/regenerate operation above is minimal. For example, if you delete the trust-cert, then regenerating the corresponding cert will recreate those trust-cert. If you re-generate the cert (for example Tomcat cert), the impact is that you won't see the newly generated certificate when you accessing the CUCM GUI page until

you restarted the 'Cisco Tomcat' service.

Also you don't need to wait before the certificates expire before regenerating.

To check details

Login to platform administration webpage Security > certificate management >
display certificate own certificates > Tomcat > next & IPSEC > next 

If this is production server, you may contact Cisco TAC before proceeding.


Ronak patel

Please rate helpful posts by clicking stars below the answer.


This Discussion