09-15-2016 02:28 AM - edited 03-19-2019 11:35 AM
On CUCM 8.6 We have all certs expired. From reading the Docs on Forums etc... I am still a bit confused.
1.Do I need to enable rollback phones to pre 8 parameter and reboot phones?
2. Do I just regenerate tomcat, reboot phones, then restart TVS as also mentioned in the Docs?
3.Or am I good to regenerate all the certs and not have to reboot phones?
Solved! Go to Solution.
09-20-2016 09:18 AM
1 No, you don't need to, you can use it if you like to remove ITL all together while you regenerate the certs.
2 Yes, depending on which certs you need to regenerate, follow the exact order that is explained in the ITL documentation, and do the certs, one at a time, one server at a time.
3 If you regenerate all of the certs at the same time, you'll just cause all the phones to stop trusting your servers, and you'll need to delete the ITL manually on every single phone.
Some services will need to be restarted, depending on the certs being re-generated, you'll get the warnings as you do so.
Also, phones will need to reboot to get the new certs, from the docs:
After you regenerate CallManager.pem and restart the TVS and TFTP service, this happens when a phone boots.
09-15-2016 05:08 AM
Hi,
Roll back parameter is part of "Security By Default" feature which was introduced in CUCM 8.0, which has nothing to do with you certificates being expired, see bellow for details regarding "Security By Default".
http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-callmanager/116232-technote-sbd-00.html
for cert regeneration check the link below.
https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/200199-CUCM-Certificate-Regeneration-Renewal-Pr.html#anc1
HTH
JB
09-15-2016 06:24 AM
That is exactly why I have said I have read the docs. the last link you sent is the doc I referred to.
It is not clear. the reason I ask the below is that the document confusingly states enable rollback and also watch out for restarting the TVS service as the phones need to see the exisitng key before accepting the new certs. the cluster is not in mixed mode
1.Do I need to enable rollback phones to pre 8 parameter and reboot phones?
2. Do I just regenerate tomcat, reboot phones, then restart TVS as also mentioned in the Docs?
3.Or am I good to regenerate all the certs and not have to reboot phones?
09-20-2016 12:41 AM
Can anyone confirm the steps required?
09-20-2016 09:18 AM
1 No, you don't need to, you can use it if you like to remove ITL all together while you regenerate the certs.
2 Yes, depending on which certs you need to regenerate, follow the exact order that is explained in the ITL documentation, and do the certs, one at a time, one server at a time.
3 If you regenerate all of the certs at the same time, you'll just cause all the phones to stop trusting your servers, and you'll need to delete the ITL manually on every single phone.
Some services will need to be restarted, depending on the certs being re-generated, you'll get the warnings as you do so.
Also, phones will need to reboot to get the new certs, from the docs:
After you regenerate CallManager.pem and restart the TVS and TFTP service, this happens when a phone boots.
09-20-2016 10:32 AM
Perfect, thanks Jaime
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: