Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CUCM 10.5 migration with BCD Bulk Certificate question

We are migrating one of our customers CUCM from 8.6 to 10.5 using PCD. Since customer wants move this to new UCS server and move to DC we have to change the hostname and IP address of the servers as well. We finished the migration over the weekend, since we did a network migration with PCD I didn't do the last step of shutting down the current 8.6 PUB and SUB servers so it  did not pause for Bulk certificate changes. This coming weekend we are cutting them over to new CUCM  and I'm little confused on the Bulk Certificate process, here is what I'm planning to do let me know if this is going to cause any issues

1. Migrate the Bulk Certificate Process using this procedure and change the TFTP Ip address on the DHCP and reset the phones from current CUCM and hoping it will register to the new CUCM. Is this the correct way to do it or am I missing something here please let me know.

Bulk Certificate Management

For information on performing a CTL update, see the “Security basics” section in Cisco Unified Communications Manager Security Guide: http:/​/​​en/​US/​products/​sw/​voicesw/​ps556/​prod_​maintenance_​guides_​list.html

Bulk certificate management must be done manually on both source nodes and destination nodes. Both source nodes and destination nodes must be up and running at this point. Phones are registered with the source nodes.

Follow the steps in the sections below to manage certificates on destination and source nodes.


    Step 1  On the Destination Cluster Publisher, navigate to Cisco Unified Operating System Administration and choose Security > Bulk Certificate Management.
    Step 2  Define the Central SFTP server IP address, port, user, password, and directory.
    Step 3  Use the Export button to export all TFTP certificates from the destination cluster to the central SFTP server.
    Step 4  On the Source Cluster Publisher, navigate to Cisco Unified Operating System Administration. Select Security > Bulk Certificate Management.
    Step 5   Define the Central SFTP server with same parameters used in Step 2.
    Step 6   Click the Export button to export all TFTP certificates from source cluster to the central SFTP server.
    Step 7  Click the Consolidate button to consolidate all the TFTP certificates on the central SFTP server. This step can be performed on either the source or destination cluster, using the Bulk Certificate Management interface.
    Step 8   On the Source cluster, click the Bulk Certificate Import button to import the TFTP certificates from the central SFTP server.
    Step 9   On the Destination cluster, click the Bulk Certificate Import button to import the TFTP certificates from the central SFTP server.
    Step 10  

    Use DHCP option 150, or some other method, to point the phones to the new destination cluster TFTP server. Upon reset or power cycle, the phones will download the new destination cluster ITL file and attempt to authenticate the new ITL file signature with the certificates in the existing ITL file. No certificate in the existing ITL file can be used to authenticate the signature, so the phone requests the signer's certificate from the old TVS server on the source cluster. The phone sends this request to the source cluster TVS service on TCP port 2445. The bulk certificate exchange in steps 1 through 9 provides the TVS service in the source cluster with the TFTP certificate on the destination cluster that signed the new ITL file. TVS returns the certificate to the phone, which allows the phone to authenticate the signature and replace the old ITL file with the newly downloaded ITL file. The phone can now download and authenticate the signed configuration files from the new destination cluster.


    Thanks for your help.

    Everyone's tags (1)
    18 REPLIES

    Make sure to do the export

    Make sure to do the export from both clusters and then you only run the consolidate from one cluster.  After that, you import to both clusters.

    New Member

    Brian,Thanks for your quick


    Thanks for your quick response. Just to clarify I have to do this at the time of cut over before I restart the phones to register to new CUCM 10.x correct?

    Thanks for your help again.

    Yea, you need to have this

    Yea, you need to have this done before you change the TFTP cluster over to the new server or else the phones will just stay registered to the old cluster.

    New Member

    Thanks again for your quick

    Thanks again for your quick response.

    New Member

    Hi,Were you able to


    Were you able to successfully complete certificate consolidation on both clusters?

    Did you run into any issues?



    New Member

    We still had issues old phone

    We still had issues old phone models no problems but all other models we had some issues we ended up changing the CM servers back to old IP to fix the issue.

    New Member

    Thanks, you followed the

    Thanks, you followed the procedure from security guide and still had issues with ITL?

    Did you have TAC troubleshoot on this?

    could you please specify the phone models you ran issues with authentication of new cluster.

    I am going to have new SIP phones on the 10.5 cluster and SCCP phones from old cluster.

    Will perform bulk certificate anytime this weekend. Do let me know, your experience.




    New Member

    We were able to successfully

    We were able to successfully migrate phones (7911/41/61/42/62) from 8.0.3 to 10.5.2, with no issues.

    We exported the bulk certs from both clusters, consolidated and then imported in 8.0 cluster.

    Change DHCP option 150 and then reset all the phones.


    New Member

    Hi Smiulla,

    Hi Smiulla,

    when I press the Consolidation button in the old cluster I got the error message "Sftp operation failure".

    I have found that there was a but w/ similar issue : CSCua20054

    somebody know what it is the root cause for this? thanks.


    This may just be SFTP server

    This may just be SFTP server issues.  What do the logs show on your SFTP server?

    New Member


    I have tested with freeFTP (windows) and SSH-2.0-OpenSSH_6.7p1 Debian-5
    Attached the log file and sshd_config
    thanks a lot.

    It looks like the log file

    It looks like the log file didn't attach.

    New Member

    I loaded it with not allowed

    I loaded it with not allowed file type.

    now, I loaded into zip file.


    Not a lot of detail in the

    Not a lot of detail in the log about while files are being accessed.  You may want to check your directory and file permissions so the SFTP users has Read/Write privileges.

    New Member

    The problem is that the

    The problem is that the security libraries in 8.x and 10.5.2+ are incompatible. This is why you cannot consolidate the certificates by using the older version. However, you can consolidate them through the new cluster but then you will not be able to import the BULK store back to the old version.

    More details -> CSCuy43181

    New Member

    Hi Dilyan,

    Hi Dilyan,

    thanks. the bug have the same date that I opene the case. finally I used the paramenter of rollback pre-version 8 and I have not problems for migrate the phones from CUCM 8 cluster to CUCM 10.5.

    Hi Balukr,

    Hi Balukr,

    I will have to migrate the old cluster 8.6.2 to new 11.5. So, the old cucm will need to be up after migration, then I will migrate to a different ip address in the new cluster.

    My doubt is about the Bulk Certificate mangement, in the step of Task to migration via PCD> the process will stop to bulk certificate and consolidate insite of old CUCM. After do that, I would like migrate the phones by step to new cluster, because there are a lot of sites in different timezones.

    I will need to mantaining the both server up until I move all phones to new cluster?

    Are there onother or different way to migrate the certificates to new cluster?

    Best regards,
    Daniel Sobrinho

    Daniel Sobrinho
    New Member

    Finish the CUCM migration

    Finish the CUCM migration then migrate the certificates later.

    CreatePlease to create content