Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Replacing CAPF Certificates

I would like to tell you:

There is not a  replacement process as such, these certificates get regenerated automatically  and there is already one being used.

The cert that you see  right now is just a left over and can be deleted safely. It does not need to be  replaced because it already HAS been replaced when the CAPF cert was  regenerated.

I would like to inform  you that CAPF certificates are not used for anything until and unless you have a  secure cluster, and since we do not have a secure cluster, these certificates  are not being used for anything.

We can see that the real CAPF certificate is the file with the name of CAPF.pem:


Any CallManager-trust or CAPF-trust that does not end in this current active string of CAPF-44f71bf3 (this will vary based on what your capf.pem shows) can be deleted.

In this lab system we can safely delete




If we regenerate the CAPF.pem certificate again we get yet another new random string CAPF.pem cert. This becomes the new cert and replaces the old ones:


Then we have even more obsolete certs on the box that can be deleted:


These certificates are kept around in case there are LSCs out in the field on phones that have been signed by the older CAPF certificates.

If the cluster is not in secure mode they can be deleted.

If the cluster is in secure mode then all of the LSCs that were signed by the old CAPF cert must be regenerated before deleting the old CAPF certificate for phone security to continue working.

Version history
Revision #:
1 of 1
Last update:
‎08-03-2011 07:53 AM
Updated by:
Labels (1)

One other item to note, if you are using ASA Phone Proxy with a secure cluster, you'll also need to upload the new CAPF certificate into the ASA and generate the CTL file again in order for your phone proxy to continue working in secure mode.

New Member

Thanks for the article.

So once regenerated, to get the new CAPF-xxxxxxx cert onto the phone, you would need to re-run the CTL client and configure the phone back to install/upgrade By Existing Certificate (precedence to LSC)?

... and then delete the old CAPF-xxxxx cert?


Hello Friends,

I have some expired certified and I would like to regenerate them in a secure way.

CAPFcertsCAPF.pemCAPF.derSelf-signed certificate generated by system
CallManagercertsCallManager.pemCallManager.derSelf-signed certificate generated by system
ipsec-trusttrust-certsModelo1.pemModelo1.derTrust Certificate
ipseccertsipsec.pemipsec.derSelf-signed certificate generated by system
tomcatcertstomcat.pemtomcat.derSelf-signed certificate generated by system


Is it possible to regenerate them without any problem? What´s the right procedure?