Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
664
Views
0
Helpful
5
Replies

Expired Certificates

Go to solution
pcromwell
Level 3
Level 3

‎09-15-2016 02:28 AM - edited ‎03-19-2019 11:35 AM

On CUCM 8.6 We have all certs expired. From reading the Docs on Forums etc... I am still a bit confused.  

1.Do I need to enable rollback phones to pre 8 parameter and reboot phones?

2. Do I just regenerate tomcat, reboot phones, then restart TVS as also mentioned in the Docs?

3.Or am I good to regenerate all the certs and not have to reboot phones?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jaime Valencia
Cisco Employee
Cisco Employee
In response to pcromwell

‎09-20-2016 09:18 AM

1 No, you don't need to, you can use it if you like to remove ITL all together while you regenerate the certs.

2 Yes, depending on which certs you need to regenerate, follow the exact order that is explained in the ITL documentation, and do the certs, one at a time, one server at a time.

3 If you regenerate all of the certs at the same time, you'll just cause all the phones to stop trusting your servers, and you'll need to delete the ITL manually on every single phone.

Some services will need to be restarted, depending on the certs being re-generated, you'll get the warnings as you do so.

Also, phones will need to reboot to get the new certs, from the docs:

After you regenerate CallManager.pem and restart the TVS and TFTP service, this happens when a phone boots.

HTH

java

if this helps, please rate

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jitender Bhandari
Cisco Employee
Cisco Employee

‎09-15-2016 05:08 AM

Hi,

Roll back parameter is part of "Security By Default" feature which was introduced in CUCM 8.0, which has nothing to do with you certificates being expired, see bellow for details regarding "Security By Default".

http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-callmanager/116232-technote-sbd-00.html

for cert regeneration check the link below.

https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/200199-CUCM-Certificate-Regeneration-Renewal-Pr.html#anc1

HTH

JB

0 Helpful

Go to solution
pcromwell
Level 3
Level 3
In response to Jitender Bhandari

‎09-15-2016 06:24 AM

That is exactly why I have said I have read the docs.  the last link you sent is the doc I referred to.

It is not clear. the reason I ask the below is that the document confusingly states enable rollback and also watch out for restarting the TVS service as the phones need to see the exisitng key before accepting the new certs. the cluster is not in mixed mode

1.Do I need to enable rollback phones to pre 8 parameter and reboot phones?

2. Do I just regenerate tomcat, reboot phones, then restart TVS as also mentioned in the Docs?

3.Or am I good to regenerate all the certs and not have to reboot phones?

0 Helpful

Go to solution
pcromwell
Level 3
Level 3
In response to pcromwell

‎09-20-2016 12:41 AM

Can anyone confirm the steps required?

0 Helpful

Go to solution
Jaime Valencia
Cisco Employee
Cisco Employee
In response to pcromwell

‎09-20-2016 09:18 AM

1 No, you don't need to, you can use it if you like to remove ITL all together while you regenerate the certs.

2 Yes, depending on which certs you need to regenerate, follow the exact order that is explained in the ITL documentation, and do the certs, one at a time, one server at a time.

3 If you regenerate all of the certs at the same time, you'll just cause all the phones to stop trusting your servers, and you'll need to delete the ITL manually on every single phone.

Some services will need to be restarted, depending on the certs being re-generated, you'll get the warnings as you do so.

Also, phones will need to reboot to get the new certs, from the docs:

After you regenerate CallManager.pem and restart the TVS and TFTP service, this happens when a phone boots.

HTH

java

if this helps, please rate
0 Helpful

Go to solution
pcromwell
Level 3
Level 3
In response to Jaime Valencia

‎09-20-2016 10:32 AM

Perfect, thanks Jaime

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents