CUCM certificate expire

GHARIP MOHAMED MARZOK · ‎05-25-2014

we have CUCM cluster Ver. 7.1 run in secure mode we get the below error :

At Sun May 25 08:00:05 EEST 2014 on node 10.20.30.40, the following SyslogSeverityMatchFound events generated: SeverityMatch - Emergency : 356: May 25 05:00:00.27 UTC : %CCM_UNKNOWN-CERT-0-CertExpiryEmergency: Certificate Expiry EMERGENCY_ALARM Message:Certificate expiration Notification. Certificate name:CAPF-1f03103a Unit:CallManager-trust Type:trust-cert Expiration:Sun May 18 App ID:Cisco Certificate Monitor Cluster ID: Node ID:CUCM-PUB SeverityMatch - Emergency : 357: May 25 05:00:00.27 UTC : %CCM_UNKNOWN-CERT-0-CertExpiryEmergency: Certificate Expiry EMERGENCY_ALARM Message:Certificate expiration Notification. Certificate name:CAPF-1f03103a Unit:CAPF-trust Type:trust-cert Expiration:Sun May 18 23:40:0 App ID:Cisco Certificate Monitor Cluster ID: Node ID:CUCM-PUB At Sun May 25 08:00:05 EEST 2014 on node 10.20.30.40, the following SyslogSeverityMatchFound events generated: SeverityMatch - Emergency : 356: May 25 05:00:00.27 UTC : %CCM_UNKNOWN-CERT-0-CertExpiryEmergency: Certificate Expiry EMERGENCY_ALARM Message:Certificate expiration Notification. Certificate name:CAPF-1f03103a Unit:CallManager-trust Type:trust-cert Expiration:Sun May 18 App ID:Cisco Certificate Monitor Cluster ID: Node ID:CUCM-PUB SeverityMatch - Emergency : 357: May 25 05:00:00.27 UTC : %CCM_UNKNOWN-CERT-0-CertExpiryEmergency: Certificate Expiry EMERGENCY_ALARM Message:Certificate expiration Notification. Certificate name:CAPF-1f03103a Unit:CAPF-trust Type:trust-cert Expiration:Sun May 18 23:40:0 App ID:Cisco Certificate Monitor Cluster ID: Node ID:CUCM-PUB

and we had modify the time on the server from one week and since this we get this error ,

any one can help urgent please

Jaime Valencia · ‎05-25-2014

Recreate the certs, there's nothing else to do.

HTH

java

if this helps, please rate

GHARIP MOHAMED MARZOK · ‎05-26-2014

Hi Jaime :

how i can do this and kindly remember that we are in security mode .

Jaime Valencia · ‎05-26-2014

The one that expired is CAPF, you'll need to disable security, recreated the certs that have expired, or are about to expire, load the new CAPF, push to phones, then re-enable security.

HTH

java

if this helps, please rate

GHARIP MOHAMED MARZOK · ‎05-27-2014

Can u please provide me with detailed steps for this , I don't have good experience with voice security

thanks for all

Brian Meade · ‎05-27-2014

If that matches the CAPF.pem from the publisher that signed all of your LSCs, you'll need to regenerate the CAPF certificate, restart CAPF service, re-run the CTL client, and then do a CAPF Install/Upgrade on all phones to push out new LSCs in bulk signed by the new CAPF certificate. Once that is all done, you can delete the old CallManager-trust certificates for the expired CAPF certificate.

You can visit most phones' web pages via HTTPS and check what cert is shown in the browser to see which certificate signed the LSC on each phone. There's tools out there to do this kind of thing in bulk.

If the CAPF certificate that signed the phones' LSCs expires and the phones have a security profile configured, they will fail to re-register if they reset for any reason. If they don't reset, they'll be fine forever but it's a ticking time-bomb situation. Extension Mobility environments are affected immediately since every login/logout resets the phones.

I'd suggest opening a TAC case under the CUCM Security/CTL sub-technology keyword so that they can take a look at your specific situation.