Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Expired Certificates

On CUCM 8.6 We have all certs expired. From reading the Docs on Forums etc... I am still a bit confused.  

1.Do I need to enable rollback phones to pre 8 parameter and reboot phones?

2. Do I just regenerate tomcat, reboot phones, then restart TVS as also mentioned in the Docs?

3.Or am I good to regenerate all the certs and not have to reboot phones?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

1 No, you don't need to, you

1 No, you don't need to, you can use it if you like to remove ITL all together while you regenerate the certs.

2 Yes, depending on which certs you need to regenerate, follow the exact order that is explained in the ITL documentation, and do the certs, one at a time, one server at a time.

3 If you regenerate all of the certs at the same time, you'll just cause all the phones to stop trusting your servers, and you'll need to delete the ITL manually on every single phone.

Some services will need to be restarted, depending on the certs being re-generated, you'll get the warnings as you do so.

Also, phones will need to reboot to get the new certs, from the docs:

After you regenerate CallManager.pem and restart the TVS and TFTP service, this happens when a phone boots.

HTH

java

if this helps, please rate

www.cisco.com/go/pdi
5 REPLIES
Cisco Employee

Hi,

Hi,

Roll back parameter is part of "Security By Default" feature which was introduced in CUCM 8.0, which has nothing to do with you certificates being expired, see bellow for details regarding "Security By Default".

http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-callmanager/116232-technote-sbd-00.html

for cert regeneration check the link below.

https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/200199-CUCM-Certificate-Regeneration-Renewal-Pr.html#anc1

HTH

JB

New Member

That is exactly why I have

That is exactly why I have said I have read the docs.  the last link you sent is the doc I referred to.

It is not clear. the reason I ask the below is that the document confusingly states enable rollback and also watch out for restarting the TVS service as the phones need to see the exisitng key before accepting the new certs. the cluster is not in mixed mode

1.Do I need to enable rollback phones to pre 8 parameter and reboot phones?

2. Do I just regenerate tomcat, reboot phones, then restart TVS as also mentioned in the Docs?

3.Or am I good to regenerate all the certs and not have to reboot phones?

New Member

Can anyone confirm the steps

Can anyone confirm the steps required?

Cisco Employee

1 No, you don't need to, you

1 No, you don't need to, you can use it if you like to remove ITL all together while you regenerate the certs.

2 Yes, depending on which certs you need to regenerate, follow the exact order that is explained in the ITL documentation, and do the certs, one at a time, one server at a time.

3 If you regenerate all of the certs at the same time, you'll just cause all the phones to stop trusting your servers, and you'll need to delete the ITL manually on every single phone.

Some services will need to be restarted, depending on the certs being re-generated, you'll get the warnings as you do so.

Also, phones will need to reboot to get the new certs, from the docs:

After you regenerate CallManager.pem and restart the TVS and TFTP service, this happens when a phone boots.

HTH

java

if this helps, please rate

www.cisco.com/go/pdi
New Member

Perfect, thanks Jaime

Perfect, thanks Jaime

83
Views
0
Helpful
5
Replies
CreatePlease to create content