Solved: MIC Certificate Expiration

fgasimzade · ‎01-24-2013

Hello everone!

We are using cisco MIC certificates for TLS between ip phones and Cisco Call Manager.

I was trying to find out the expiration date of these certificates, was unable to find any information.

How can I locate this information in Call Manager?

Thank you!

Aaron Harrison · ‎01-25-2013

Hi

Yes, that's normal - I have lots on my system. Have a look at your 'CAPF' certificate, this should contani an 'issuer' line that refers to one of the CAPF-xxxxx certs. That will be the current one - check the expiry date on that.

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

View solution in original post

Aaron Harrison · ‎01-24-2013

Hi

Go to /cmplatform and log in with your OS Administrator account details.

Go to Security/Certificate Management.

Find cisco_manufacturing.pem and clikc on it. Look for this bit:

Issuer: O=Cisco Systems, CN=Cisco Root CA 2048

Validity

Not Before: Jun 10 22:16:01 2005 GMT

Not After : May 14 20:25:42 2029 GMT

Regards

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

fgasimzade · ‎01-25-2013

Thank you Aaron

Do you know what these certificates are used for?

CAP-RTP-001

CAPF-57bc7a82

CAPF-65724a93

CAPF-8f75286b

CAPF-988de453

CallManager

Some of the CAPF-XXXXX certifactes are expired, can it do any harm? Do I need to change them?

Aaron Harrison · ‎01-25-2013

Hi

These certs:

CAP-RTP-001

CAP-RTP-002

Cisco_Manufacturing_CA

Cisco_Root_CA_2048

Are all from Cisco Manufacturing.

'CallManager' is the certificate used by the CUCM service to identify iftself to the phones; that's what they verify against the ITL.

The CAPF-xxxxxx ones are (as far as I can tell) self-signed certs used as a root certificate to sign the certificate that the CAPF service uses. They seem to renew every year more or less.

My advice would be to not touch any of them - certificates are extremetly important in CM8+ thanks to the introduction of the ITL (https://supportforums.cisco.com/docs/DOC-17679) and you stand a good chance of breaking your cluster if you mess with them.

Unless, of course, it is already broken?

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

fgasimzade · ‎01-25-2013

No, it is not broken, everything is fine.. ))

Just wanted to make sure I wont miss the expiration date.

As I found out half of the CAPF certificates are already expired, half of them expires in 2014, so do I have to renew them?

Aaron Harrison · ‎01-25-2013

On my system they appear to renew every year (I've never asked the system to do this) and have 5-year expiration periods.

Have none of yours renewed in the last year?

Chances are that you aren't even running the CAPF service - have a look in service activation.

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

fgasimzade · ‎01-25-2013

The CAPF service is running, however I am not sure if they were renewed automatically or no. And the expiration periods are 5 years, even for those which are expired now.

Aaron Harrison · ‎01-25-2013

Hi

Yes, that's normal - I have lots on my system. Have a look at your 'CAPF' certificate, this should contani an 'issuer' line that refers to one of the CAPF-xxxxx certs. That will be the current one - check the expiry date on that.

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

fgasimzade · ‎01-25-2013

Yeah, right!

Thank you!