Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4790
Views
25
Helpful
9
Replies

Call Manager Certificates

Go to solution
gene.evans
Level 1
Level 1

‎01-02-2014 11:33 AM - edited ‎03-16-2019 09:04 PM

What is the difference between regenerating a certificate and requesting a CSR?  The tomcat.pem and CallManager.pem are due and I would like to just regenerate them.  I am running 8.6.2000.  I just want to make sure that regenerating will not cause a problem and understand the difference.

Labels:
0 Helpful
4 Accepted Solutions

Accepted Solutions

Go to solution
Chris Deren
Hall of Fame
Hall of Fame

‎01-02-2014 02:47 PM

Are these self signed certs or certs signed by your CA?

Chris

Sent from Cisco Technical Support iPhone App

View solution in original post

0 Helpful

Go to solution
Gordon Ross
Level 9
Level 9

‎01-03-2014 12:15 AM

If you regenerate a certificate, CUCM will sign the certificate itself.

If you generate a CSR, then some other CA has to sign the CSR to turn it into a certificate.

Getting CUCM to self-sign is less work: But does result in various browser warnings about untrusted certificates.

Using a CA, you avoid browser warnings.

Note, that you don't have to use a commercial CA to sign these certificates. You can run your own CA (and import that certificate into your browsers, etc).

Setting up your own CA isn't too hard, and does make things neater in the long run.

GTG

Please rate all helpful posts.

Please rate all helpful posts.

View solution in original post

Go to solution
Joseph Martini
Cisco Employee
Cisco Employee
In response to Gordon Ross

‎01-03-2014 06:01 AM

To add to the concern about not causing problems, if you are regenerating certificates on CUCM 8.6(2) regenerating the tomcat certificate and/or CallManager certificate will cause all of your phones to reset immediately.  This is a safely precaution to void issues with the Initial Trust List (ITL) on the phones not being updated.  When regenerating certificates be sure to regenerate one at a time, and allow the phones to reset in between before regenerating the next certificate.  For example on your publisher if you regenerate the call manager certificate, wait for the phones to reset and register back before clicking the regenerate button for the tomcat certificate.  Once the phones are back up and registered, you can regenerate the tomcat certificate and again wait for the phones to register back.  Then you can do the same on the rest of your nodes again only regenerating one certificate at a time.  This will help prevent a loss of trust between the phone and the CUCM servers.

Here's some more information about the correct process for regenerating certificates and things to be aware of,

https://supportforums.cisco.com/docs/DOC-17679#Regenerating_Certificates__Rebuilding_a_Cluster__Certificate_Expiry.

View solution in original post

Go to solution
Gordon Ross
Level 9
Level 9
In response to Joseph Martini

‎01-03-2014 06:07 AM

I'm not so sure about the Tomcat cert causing phones to reboot.

By co-incidence, I updated the Tomcat cert on all the servers in my cluster this morning: Not a single phone reboot. (This is on a 9.1 cluster)

Back when I was on 8.6.something, there was one cert which, when I regenerated, caused every phone in the cluster to reboot. Can't remember which cert that was, unfortunately :-(

GTG

Please rate all helpful posts.

View solution in original post

9 Replies 9

Go to solution
Chris Deren
Hall of Fame
Hall of Fame

‎01-02-2014 02:47 PM

Are these self signed certs or certs signed by your CA?

Chris

Sent from Cisco Technical Support iPhone App

0 Helpful

Go to solution
Gordon Ross
Level 9
Level 9

‎01-03-2014 12:15 AM

If you regenerate a certificate, CUCM will sign the certificate itself.

If you generate a CSR, then some other CA has to sign the CSR to turn it into a certificate.

Getting CUCM to self-sign is less work: But does result in various browser warnings about untrusted certificates.

Using a CA, you avoid browser warnings.

Note, that you don't have to use a commercial CA to sign these certificates. You can run your own CA (and import that certificate into your browsers, etc).

Setting up your own CA isn't too hard, and does make things neater in the long run.

GTG

Please rate all helpful posts.

Please rate all helpful posts.

Go to solution
Joseph Martini
Cisco Employee
Cisco Employee
In response to Gordon Ross

‎01-03-2014 06:01 AM

To add to the concern about not causing problems, if you are regenerating certificates on CUCM 8.6(2) regenerating the tomcat certificate and/or CallManager certificate will cause all of your phones to reset immediately.  This is a safely precaution to void issues with the Initial Trust List (ITL) on the phones not being updated.  When regenerating certificates be sure to regenerate one at a time, and allow the phones to reset in between before regenerating the next certificate.  For example on your publisher if you regenerate the call manager certificate, wait for the phones to reset and register back before clicking the regenerate button for the tomcat certificate.  Once the phones are back up and registered, you can regenerate the tomcat certificate and again wait for the phones to register back.  Then you can do the same on the rest of your nodes again only regenerating one certificate at a time.  This will help prevent a loss of trust between the phone and the CUCM servers.

Here's some more information about the correct process for regenerating certificates and things to be aware of,

https://supportforums.cisco.com/docs/DOC-17679#Regenerating_Certificates__Rebuilding_a_Cluster__Certificate_Expiry.

Go to solution
Gordon Ross
Level 9
Level 9
In response to Joseph Martini

‎01-03-2014 06:07 AM

I'm not so sure about the Tomcat cert causing phones to reboot.

By co-incidence, I updated the Tomcat cert on all the servers in my cluster this morning: Not a single phone reboot. (This is on a 9.1 cluster)

Back when I was on 8.6.something, there was one cert which, when I regenerated, caused every phone in the cluster to reboot. Can't remember which cert that was, unfortunately :-(

GTG

Please rate all helpful posts.

Go to solution
Joseph Martini
Cisco Employee
Cisco Employee
In response to Gordon Ross

‎01-03-2014 06:20 AM

You're right!  It's the TVS certificate not the tomcat certificate.  This is documented by https://tools.cisco.com/bugsearch/bug/CSCue55353/.  Regenerating the following certificates cause the phones to reset TVS/CCM/CAPF.

0 Helpful

Go to solution
jredden@jsitelecom.us
Level 1
Level 1
In response to Gordon Ross

‎12-13-2018 06:30 AM

Gordon,

 

So I will ALWAYS see the "site not trusted" if it's self signed UNLESS I use a 3rd party cert or host a CA and import to our browsers, correct?  It's my browser trying to authenticate the cert with a 3rd party who has no idea what it is and therefor shows it as "unsafe", correct?  

 

Question:  If we get a 3rd party cert, what kind is needed (wildcard, etc.) and which tomcat cert is it needed on to remove the web login errors?

 

Thanks,

 

Jon

0 Helpful

Go to solution
gene.evans
Level 1
Level 1

‎01-03-2014 06:09 AM

This is great information. I have two main certs that I will regenerate.  The Tomcat.Pem and CallManager.PEM, this will update the trust certs for the Node.  From what I am reading it is ok to regenerate the Tomcat.PEM and The CallManager.PEM to make them self signed.  I am alos going to restart each server after the certificates for each have been updated.  On other clusters I have waited for each certificate to update and phones to reboot, this was a critical step.  I think I understand now, thanks everyone for your help.

0 Helpful

Go to solution
gene.evans
Level 1
Level 1
In response to gene.evans

‎01-03-2014 06:10 AM

The cert that causes the phones to reboot is CallManager.pem if any of the phones are using the cert from that node.  I found that out on my last cluster.  The call manager service also restarts as soon as the CallManager.pem is updates.

0 Helpful

Go to solution
Joseph Martini
Cisco Employee
Cisco Employee
In response to gene.evans

‎01-03-2014 06:22 AM

Right, the new certificate is not "in use" until the service the certificate belongs to  is restarted (example the callmanager.pem and the CallManager service).

0 Helpful
Customers Also Viewed These Support Documents