×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Expired Certificates

Answered Question
Sep 15th, 2016
User Badges:

On CUCM 8.6 We have all certs expired. From reading the Docs on Forums etc... I am still a bit confused.  

1.Do I need to enable rollback phones to pre 8 parameter and reboot phones?

2. Do I just regenerate tomcat, reboot phones, then restart TVS as also mentioned in the Docs?

3.Or am I good to regenerate all the certs and not have to reboot phones?


Correct Answer by Jaime Valencia about 11 months 4 days ago

1 No, you don't need to, you can use it if you like to remove ITL all together while you regenerate the certs.

2 Yes, depending on which certs you need to regenerate, follow the exact order that is explained in the ITL documentation, and do the certs, one at a time, one server at a time.

3 If you regenerate all of the certs at the same time, you'll just cause all the phones to stop trusting your servers, and you'll need to delete the ITL manually on every single phone.

Some services will need to be restarted, depending on the certs being re-generated, you'll get the warnings as you do so.

Also, phones will need to reboot to get the new certs, from the docs:

After you regenerate CallManager.pem and restart the TVS and TFTP service, this happens when a phone boots.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jitender Bhandari Thu, 09/15/2016 - 05:08
User Badges:
  • Cisco Employee,

Hi,


Roll back parameter is part of "Security By Default" feature which was introduced in CUCM 8.0, which has nothing to do with you certificates being expired, see bellow for details regarding "Security By Default".


http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/u...


for cert regeneration check the link below.


https://www.cisco.com/c/en/us/support/docs/unified-communications/unifie...


HTH


JB

pcromwell Thu, 09/15/2016 - 06:24
User Badges:

That is exactly why I have said I have read the docs.  the last link you sent is the doc I referred to.

It is not clear. the reason I ask the below is that the document confusingly states enable rollback and also watch out for restarting the TVS service as the phones need to see the exisitng key before accepting the new certs. the cluster is not in mixed mode

1.Do I need to enable rollback phones to pre 8 parameter and reboot phones?

2. Do I just regenerate tomcat, reboot phones, then restart TVS as also mentioned in the Docs?

3.Or am I good to regenerate all the certs and not have to reboot phones?

Correct Answer
Jaime Valencia Tue, 09/20/2016 - 09:18
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    2011

1 No, you don't need to, you can use it if you like to remove ITL all together while you regenerate the certs.

2 Yes, depending on which certs you need to regenerate, follow the exact order that is explained in the ITL documentation, and do the certs, one at a time, one server at a time.

3 If you regenerate all of the certs at the same time, you'll just cause all the phones to stop trusting your servers, and you'll need to delete the ITL manually on every single phone.

Some services will need to be restarted, depending on the certs being re-generated, you'll get the warnings as you do so.

Also, phones will need to reboot to get the new certs, from the docs:

After you regenerate CallManager.pem and restart the TVS and TFTP service, this happens when a phone boots.

Actions

This Discussion