Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Remote VPN Phone certificate update

I currently have a ASA 5510 with remote VPN phones authenticating via certificates.  It has been working well, but now I need to change certificate vendors.  I have the new certificate loaded in Callmanager, applied to the VPN profile, and installed on the ASA.  However, it doesn't look like the current remote phones get the new certificate while connected via VPN.  A test phone that I had inside my site and then moved to VPN seems to be working fine with the new certificate.

I installed the new certificate in Callmanager, applied to VPN profile, etc, then reset all of the remote phones, thinking that would trigger them to get the new certificate hash.  But that doesn't seem to work.  After switching the cert on the ASA, those phones can't connect until I switch back to the old cert.

Is there something special I need to do to get the new certificate on the currently connected VPN phones?  Do I need to bring them back in house?  I can't imagine that being the case but figured I would ask.  Some of these phones are hundreds of miles away.

thank you!


Cisco Employee

Hi scottpoest, For this setup

Hi scottpoest,


For this setup ASA identity-cert has to be added as phone-vpn-trust under OS Administration, and MIC or CAPF imported into ASA running-config.

However, initially the phone has to have full local connectivity in order to pull the hash of phone-vpn-trust enclosed in its configuration file inside <certHash1> tags.




New Member

Thanks for the reply.  I have

Thanks for the reply.  I have all of the certs added properly and MIC imported into ASA.  I have several remote phones online now.  Will those remote phones NOT pull down new certificates even though they are connected now?

Cisco Employee

Phones will pull the new ASA

Phones will pull the new ASA certificate provided that the old one is still valid and has not expired yet.

To renew you just have to upload it to CUCM as phone-vpn-trust, add to your VPN Gateway certificates, and cycle the phone.

However watch out for

New Member

I figured out my own problem.

I figured out my own problem.  Hopefully it helps someone someday.

My remote phones are not getting a TFTP server in their DHCP request.  The ASA is giving them IP's when they connect to the VPN but the TFTP server is blank.  I set the Alternate TFTP server to YES and put in the inside IP address of my Callmanager server.  Now I just need to figure out how to add the TFTP on my ASA when it hands out IP's.  For some reason entering it on the command line didn't work.  It is giving addresses from the group policy address pools. 


CreatePlease to create content