cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9091
Views
0
Helpful
5
Replies

Regenerate expired certificates on CUCM cluster

Kim Nielsen
Level 1
Level 1

Hi,

We have a customer, that have a large CUCM cluster, where most of the self-sighed certificates has expired. :-/

I know that we need to regenerate the certificates outside normal business hours, but the customer is running a 24 hour operation.

So we would have to break this down in small bits, because we have about 10K phones in the cluster.

We are not running in Cluster Secure Mode, and there's no phones connected to the Publisher. They are only connected to the subscribers.

So could we start with regenerating the certificates on the publisher without every phone rebooting?

And then take every subscriber one at the time within a scheduled maintenance window?  

It's all the certificates that need to be regenerated. Callmanager, TVS, IPsec etc etc.

CUCM version is 10.5.2

best regards

Kim

5 Replies 5

Jitender Bhandari
Cisco Employee
Cisco Employee

Hi Kim,

The process is explained in detail in the link below.

http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/200199-CUCM-Certificate-Regeneration-Renewal-Pr.html

https://www.youtube.com/watch?v=xTnS7HEADdU

(Rate if it helps)

Hi Jitender,

Thanks, I have already had a look at both those links. :)

But I don't see anywhere in the document, if you could regenerate the certificate on the Publisher without it having any impact on the phones. In my situation there's no phones connected to the Publisher. Phones are only connected to subscribers.

I found a document on the salesconnect site, which is pointing towards, that I could regenerate the phones without any trouble.

https://salesconnect.cisco.com/c/r/salesconnect/index.html#/content-detail/ab5ace36-2e9e-472a-9a74-604277e586ed

But I'm still not quite convinced.

When I'm reading the PDF (page 77-85), then I'm thinking that I can regenerate the IPsec and ccm certificate on the publisher without impact, because the publisher is not running the ccm servervice, and don't have any phones connected to it. IPsec would require me to restart the  DRF services, but this has no impact.

Regenerating the TVS certificate would give me problems. I think that would prompt all the phone into restarting. But again not sure.

Regenerating the CAPF should be possible, if the CAPF service it not activated. Could you then just stop it on the servers?

/Kim

Hi Kim,

IPSEC and can be done at any time with no impact to users. Like you said, restart the DR components, take a backup, and you're set.

callmanager and TVS should be done a good deal of time apart. I actually like to wait a few weeks on the off-chance that any straggler devices can come back online. Any devices that had been previously registered and taken offline will require the ITL file to be deleted once both callmanager and TVS have been regenerated.

In my experience, even if there aren't any phones registered to the pub, all phones in the environment will restart. You'll want to restart the callmanager and TFTP services (callmanager cert is used to sign files), as well as the TVS service so that it has an updated list of the installed certs.

If you're not using CAPF, that can be done at any time.

Hope this helps,

--

Steve H.

I forgot to mention that CTI Manager will also need to be restarted as it also uses the callmanager cert. I also will bounce all phones in a cluster after I'm done with cert work by going to Enterprise Parameters and using the reset button. You can verify that phones have gotten the updated certs using the methods found on teh Security by Default page. If this process goes sideways, you can call TAC and they may be able to run their tools to help get the phones back, but remember to take backups and make sure you have all of your ITL recovery keys backed up separately (some bugs have kept these from being backed up).

test60
Level 1
Level 1

hi Experts,

I have few question on re-generate expired certs for UCM 12 ( not in mixed mode )
Following is the expired certs :

- Call Manager
-CAPF
-TVS
- ITL Recovery
-ipsec
-Tomcat

* what is the impact if I let it expired ?
* Which order I need to do it first ? How many hours it take , we have 1 Pub and 5 Subs, 2 TFTP, 10,000 phones
* What tool to check and delete ITL remotely ?
* If I don't restart phone after "Call Manager" cert regenerate, will phone still registered?
* if I don't use Mixed mode, means no need to worry on TVS and CAPF ?

Thanks,
C

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: