Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

CUCM certificate expire

we have CUCM cluster  Ver. 7.1  run in secure mode we get the below error :

 

At Sun May 25 08:00:05 EEST 2014 on node 10.20.30.40, the following SyslogSeverityMatchFound events generated: SeverityMatch - Emergency : 356: May 25 05:00:00.27 UTC : %CCM_UNKNOWN-CERT-0-CertExpiryEmergency: Certificate Expiry EMERGENCY_ALARM Message:Certificate expiration Notification. Certificate name:CAPF-1f03103a Unit:CallManager-trust Type:trust-cert Expiration:Sun May 18 App ID:Cisco Certificate Monitor Cluster ID: Node ID:CUCM-PUB SeverityMatch - Emergency : 357: May 25 05:00:00.27 UTC : %CCM_UNKNOWN-CERT-0-CertExpiryEmergency: Certificate Expiry EMERGENCY_ALARM Message:Certificate expiration Notification. Certificate name:CAPF-1f03103a Unit:CAPF-trust Type:trust-cert Expiration:Sun May 18 23:40:0 App ID:Cisco Certificate Monitor Cluster ID: Node ID:CUCM-PUB At Sun May 25 08:00:05 EEST 2014 on node 10.20.30.40, the following SyslogSeverityMatchFound events generated: SeverityMatch - Emergency : 356: May 25 05:00:00.27 UTC : %CCM_UNKNOWN-CERT-0-CertExpiryEmergency: Certificate Expiry EMERGENCY_ALARM Message:Certificate expiration Notification. Certificate name:CAPF-1f03103a Unit:CallManager-trust Type:trust-cert Expiration:Sun May 18 App ID:Cisco Certificate Monitor Cluster ID: Node ID:CUCM-PUB SeverityMatch - Emergency : 357: May 25 05:00:00.27 UTC : %CCM_UNKNOWN-CERT-0-CertExpiryEmergency: Certificate Expiry EMERGENCY_ALARM Message:Certificate expiration Notification. Certificate name:CAPF-1f03103a Unit:CAPF-trust Type:trust-cert Expiration:Sun May 18 23:40:0 App ID:Cisco Certificate Monitor Cluster ID: Node ID:CUCM-PUB 

 

and we had modify the time on the server from one week and since this we get this error ,

 

any one can help urgent please 

5 REPLIES
Cisco Employee

Recreate the certs, there's

Recreate the certs, there's nothing else to do.

HTH

java

if this helps, please rate

www.cisco.com/go/pdi
Community Member

Hi Jaime :how i can do this

Hi Jaime :

how i can do this  and kindly remember that we are in security mode .

Cisco Employee

The one that expired is CAPF,

The one that expired is CAPF, you'll need to disable security, recreated the certs that have expired, or are about to expire, load the new CAPF, push to phones, then re-enable security.

HTH

java

if this helps, please rate

www.cisco.com/go/pdi
Community Member

Can u please provide me with

Can u please provide me with detailed steps for this , I don't have good experience with voice security 

thanks for all

If that matches the CAPF.pem

If that matches the CAPF.pem from the publisher that signed all of your LSCs, you'll need to regenerate the CAPF certificate, restart CAPF service, re-run the CTL client, and then do a CAPF Install/Upgrade on all phones to push out new LSCs in bulk signed by the new CAPF certificate.  Once that is all done, you can delete the old CallManager-trust certificates for the expired CAPF certificate.

 

You can visit most phones' web pages via HTTPS and check what cert is shown in the browser to see which certificate signed the LSC on each phone.  There's tools out there to do this kind of thing in bulk.

 

If the CAPF certificate that signed the phones' LSCs expires and the phones have a security profile configured, they will fail to re-register if they reset for any reason.  If they don't reset, they'll be fine forever but it's a ticking time-bomb situation.  Extension Mobility environments are affected immediately since every login/logout resets the phones.

 

I'd suggest opening a TAC case under the CUCM Security/CTL sub-technology keyword so that they can take a look at your specific situation.

1071
Views
0
Helpful
5
Replies
CreatePlease to create content