Regenerate expired certificates on CUCM cluster

Unanswered Question
Feb 23rd, 2017
User Badges:


We have a customer, that have a large CUCM cluster, where most of the self-sighed certificates has expired. :-/

I know that we need to regenerate the certificates outside normal business hours, but the customer is running a 24 hour operation.

So we would have to break this down in small bits, because we have about 10K phones in the cluster.

We are not running in Cluster Secure Mode, and there's no phones connected to the Publisher. They are only connected to the subscribers.

So could we start with regenerating the certificates on the publisher without every phone rebooting?

And then take every subscriber one at the time within a scheduled maintenance window?  

It's all the certificates that need to be regenerated. Callmanager, TVS, IPsec etc etc.

CUCM version is 10.5.2

best regards


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Kim Nielsen Fri, 02/24/2017 - 02:14
User Badges:

Hi Jitender,

Thanks, I have already had a look at both those links. :)

But I don't see anywhere in the document, if you could regenerate the certificate on the Publisher without it having any impact on the phones. In my situation there's no phones connected to the Publisher. Phones are only connected to subscribers.

I found a document on the salesconnect site, which is pointing towards, that I could regenerate the phones without any trouble.

But I'm still not quite convinced.

When I'm reading the PDF (page 77-85), then I'm thinking that I can regenerate the IPsec and ccm certificate on the publisher without impact, because the publisher is not running the ccm servervice, and don't have any phones connected to it. IPsec would require me to restart the  DRF services, but this has no impact.

Regenerating the TVS certificate would give me problems. I think that would prompt all the phone into restarting. But again not sure.

Regenerating the CAPF should be possible, if the CAPF service it not activated. Could you then just stop it on the servers?


steve.hammes Thu, 05/18/2017 - 13:33
User Badges:

Hi Kim,

IPSEC and can be done at any time with no impact to users. Like you said, restart the DR components, take a backup, and you're set.

callmanager and TVS should be done a good deal of time apart. I actually like to wait a few weeks on the off-chance that any straggler devices can come back online. Any devices that had been previously registered and taken offline will require the ITL file to be deleted once both callmanager and TVS have been regenerated.

In my experience, even if there aren't any phones registered to the pub, all phones in the environment will restart. You'll want to restart the callmanager and TFTP services (callmanager cert is used to sign files), as well as the TVS service so that it has an updated list of the installed certs.

If you're not using CAPF, that can be done at any time.

Hope this helps,


Steve H.

steve.hammes Thu, 05/18/2017 - 13:37
User Badges:

I forgot to mention that CTI Manager will also need to be restarted as it also uses the callmanager cert. I also will bounce all phones in a cluster after I'm done with cert work by going to Enterprise Parameters and using the reset button. You can verify that phones have gotten the updated certs using the methods found on teh Security by Default page. If this process goes sideways, you can call TAC and they may be able to run their tools to help get the phones back, but remember to take backups and make sure you have all of your ITL recovery keys backed up separately (some bugs have kept these from being backed up).


This Discussion

Related Content