Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Regenerate expired certificates on CUCM cluster


We have a customer, that have a large CUCM cluster, where most of the self-sighed certificates has expired. :-/

I know that we need to regenerate the certificates outside normal business hours, but the customer is running a 24 hour operation.

So we would have to break this down in small bits, because we have about 10K phones in the cluster.

We are not running in Cluster Secure Mode, and there's no phones connected to the Publisher. They are only connected to the subscribers.

So could we start with regenerating the certificates on the publisher without every phone rebooting?

And then take every subscriber one at the time within a scheduled maintenance window?  

It's all the certificates that need to be regenerated. Callmanager, TVS, IPsec etc etc.

CUCM version is 10.5.2

best regards


Everyone's tags (1)
Cisco Employee

Hi Kim,

Hi Kim,

The process is explained in detail in the link below.

(Rate if it helps)

New Member

Hi Jitender,

Hi Jitender,

Thanks, I have already had a look at both those links. :)

But I don't see anywhere in the document, if you could regenerate the certificate on the Publisher without it having any impact on the phones. In my situation there's no phones connected to the Publisher. Phones are only connected to subscribers.

I found a document on the salesconnect site, which is pointing towards, that I could regenerate the phones without any trouble.

But I'm still not quite convinced.

When I'm reading the PDF (page 77-85), then I'm thinking that I can regenerate the IPsec and ccm certificate on the publisher without impact, because the publisher is not running the ccm servervice, and don't have any phones connected to it. IPsec would require me to restart the  DRF services, but this has no impact.

Regenerating the TVS certificate would give me problems. I think that would prompt all the phone into restarting. But again not sure.

Regenerating the CAPF should be possible, if the CAPF service it not activated. Could you then just stop it on the servers?


New Member

Hi Kim,

Hi Kim,

IPSEC and can be done at any time with no impact to users. Like you said, restart the DR components, take a backup, and you're set.

callmanager and TVS should be done a good deal of time apart. I actually like to wait a few weeks on the off-chance that any straggler devices can come back online. Any devices that had been previously registered and taken offline will require the ITL file to be deleted once both callmanager and TVS have been regenerated.

In my experience, even if there aren't any phones registered to the pub, all phones in the environment will restart. You'll want to restart the callmanager and TFTP services (callmanager cert is used to sign files), as well as the TVS service so that it has an updated list of the installed certs.

If you're not using CAPF, that can be done at any time.

Hope this helps,


Steve H.

New Member

I forgot to mention that CTI

I forgot to mention that CTI Manager will also need to be restarted as it also uses the callmanager cert. I also will bounce all phones in a cluster after I'm done with cert work by going to Enterprise Parameters and using the reset button. You can verify that phones have gotten the updated certs using the methods found on teh Security by Default page. If this process goes sideways, you can call TAC and they may be able to run their tools to help get the phones back, but remember to take backups and make sure you have all of your ITL recovery keys backed up separately (some bugs have kept these from being backed up).