[cisco-voip] cisco phone-vpn cert expiration

Brian Meade (brmeade) brmeade at cisco.com
Thu Jan 30 16:07:42 EST 2014


What you could do to resolve the phones without bringing them in would be to temporarily set up a NAT with a static IP for one of your TFTP servers just for TFTP traffic and use the Alternate TFTP settings on the phones so they can pull the new config files with the new certificate in them.  But it may be a little risky opening up the TFTP service on one node to the outside world temporarily.

From: Erick Wellnitz [mailto:ewellnitzvoip at gmail.com]
Sent: Thursday, January 30, 2014 3:51 PM
To: Brian Meade (brmeade)
Cc: cisco-voip
Subject: Re: [cisco-voip] cisco phone-vpn cert expiration

The old one was expired.  That might make the difference.



On Thu, Jan 30, 2014 at 2:40 PM, Brian Meade (brmeade) <brmeade at cisco.com<mailto:brmeade at cisco.com>> wrote:
Erick,

It shouldn't have replaced the other VPN-trust in certificate management.    I've done this scenario successfully with many customers.  I'll try this in the lab.  It may be due to the same Common Name on the certificate but usually it will just rename the new one to like commonname-1.pem.

Thanks,
Brian

From: Erick Wellnitz [mailto:ewellnitzvoip at gmail.com<mailto:ewellnitzvoip at gmail.com>]
Sent: Thursday, January 30, 2014 3:24 PM
To: Brian Meade (brmeade)
Cc: cisco-voip
Subject: Re: [cisco-voip] cisco phone-vpn cert expiration

This dd not work as described.

The new cert took the place of the old one in certificate management now if a VPN phone reboots for any reason they cannot reconnect.

On Tue, Jan 28, 2014 at 9:27 AM, Brian Meade (brmeade) <brmeade at cisco.com<mailto:brmeade at cisco.com>> wrote:
Erick,

You can add a 2nd cert to the VPN Gateway configuration after you add it as a VPN-Trust.

So what you want to do is create a new trustpoint on the ASA with the new certificate, upload that to CUCM as a phone-vpn-trust, and then add it as a 2nd cert to the VPN Gateway.

You'll then want to make sure all the VPN phones get reset so they get the new certificate as well.

After all the VPN phones have both certificates, you can then change SSL on the ASA to bind to the other trustpoint and start using the new certificate.

If you follow that method, you want have to bring any of the VPN phones back in as long as they're connected.  The main problem with this method is some people have VPN phones that they rarely connect so you'll need to make sure everyone connects their phones to get the new certificate before you make the change on the ASA.

Brian

From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net<mailto:cisco-voip-bounces at puck.nether.net>] On Behalf Of Erick Wellnitz
Sent: Tuesday, January 28, 2014 10:20 AM
To: cisco-voip
Subject: [cisco-voip] cisco phone-vpn cert expiration

I have a situation I'm sure isn't unique.

What happens when I upload a new phone-vpn cert to the CUCM to replace an expired/expiring one?

Are vpn phones going to freak out and stop authenticating to the VPN or should everything be smooth sailing?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20140130/430fabe1/attachment.html>


More information about the cisco-voip mailing list