05-25-2014 01:51 AM - edited 03-16-2019 10:53 PM
we have CUCM cluster Ver. 7.1 run in secure mode we get the below error :
At Sun May 25 08:00:05 EEST 2014 on node 10.20.30.40, the following SyslogSeverityMatchFound events generated: SeverityMatch - Emergency : 356: May 25 05:00:00.27 UTC : %CCM_UNKNOWN-CERT-0-CertExpiryEmergency: Certificate Expiry EMERGENCY_ALARM Message:Certificate expiration Notification. Certificate name:CAPF-1f03103a Unit:CallManager-trust Type:trust-cert Expiration:Sun May 18 App ID:Cisco Certificate Monitor Cluster ID: Node ID:CUCM-PUB SeverityMatch - Emergency : 357: May 25 05:00:00.27 UTC : %CCM_UNKNOWN-CERT-0-CertExpiryEmergency: Certificate Expiry EMERGENCY_ALARM Message:Certificate expiration Notification. Certificate name:CAPF-1f03103a Unit:CAPF-trust Type:trust-cert Expiration:Sun May 18 23:40:0 App ID:Cisco Certificate Monitor Cluster ID: Node ID:CUCM-PUB At Sun May 25 08:00:05 EEST 2014 on node 10.20.30.40, the following SyslogSeverityMatchFound events generated: SeverityMatch - Emergency : 356: May 25 05:00:00.27 UTC : %CCM_UNKNOWN-CERT-0-CertExpiryEmergency: Certificate Expiry EMERGENCY_ALARM Message:Certificate expiration Notification. Certificate name:CAPF-1f03103a Unit:CallManager-trust Type:trust-cert Expiration:Sun May 18 App ID:Cisco Certificate Monitor Cluster ID: Node ID:CUCM-PUB SeverityMatch - Emergency : 357: May 25 05:00:00.27 UTC : %CCM_UNKNOWN-CERT-0-CertExpiryEmergency: Certificate Expiry EMERGENCY_ALARM Message:Certificate expiration Notification. Certificate name:CAPF-1f03103a Unit:CAPF-trust Type:trust-cert Expiration:Sun May 18 23:40:0 App ID:Cisco Certificate Monitor Cluster ID: Node ID:CUCM-PUB
and we had modify the time on the server from one week and since this we get this error ,
any one can help urgent please
05-25-2014 06:19 PM
Recreate the certs, there's nothing else to do.
05-26-2014 01:14 AM
Hi Jaime :
how i can do this and kindly remember that we are in security mode .
05-26-2014 08:09 AM
The one that expired is CAPF, you'll need to disable security, recreated the certs that have expired, or are about to expire, load the new CAPF, push to phones, then re-enable security.
05-27-2014 07:36 AM
Can u please provide me with detailed steps for this , I don't have good experience with voice security
thanks for all
05-27-2014 07:48 AM
If that matches the CAPF.pem from the publisher that signed all of your LSCs, you'll need to regenerate the CAPF certificate, restart CAPF service, re-run the CTL client, and then do a CAPF Install/Upgrade on all phones to push out new LSCs in bulk signed by the new CAPF certificate. Once that is all done, you can delete the old CallManager-trust certificates for the expired CAPF certificate.
You can visit most phones' web pages via HTTPS and check what cert is shown in the browser to see which certificate signed the LSC on each phone. There's tools out there to do this kind of thing in bulk.
If the CAPF certificate that signed the phones' LSCs expires and the phones have a security profile configured, they will fail to re-register if they reset for any reason. If they don't reset, they'll be fine forever but it's a ticking time-bomb situation. Extension Mobility environments are affected immediately since every login/logout resets the phones.
I'd suggest opening a TAC case under the CUCM Security/CTL sub-technology keyword so that they can take a look at your specific situation.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide