[cisco-voip] Couple misc. CTL/certificate questions...

Jason Burns burns.jason at gmail.com
Wed Jun 20 12:18:43 EDT 2012


Ed,

Good catch on the CAPF certs on every node. You're right that they just get
ignored on the subscriber nodes. I'm not sure myself what function they
serve as the only useful CAPF cert is the one from the publisher.

Since you're on 7.X and you're about to enable security but this isn't a
new install, I would definitely recommend taking a look at all of your
certificate expiration dates. They're typically 5 years from creation for
the self signed certificates (install date). Personally, I would regenerate:

CAPF.pem - Publisher
CallManager.pem - All Nodes

before I enabled security with the CTL client and USB tokens. This means
you'd have 5 years before ever having to worry about running the CTL client
again for certificate expiration. You may have to run it again if you
changed other things that  regenerated certs (host name change), and it's
easy to run again, but why worry about it. You'll also have 5 years before
CAPF expires, which gives you a guaranteed 5 year life time before worrying
about any LSCs signed by this CAPF (since the LSC is what gets pushed to
the phones and they're signed by CAPF).

Now is also a good time to point the cluster to an SMTP email server, as
well as populate an email address in the Certificate Monitor fields in OS
Administration. This will notify someone before that 5 year timer pops.

Once you've regenerated CAPF and CallManager certificates you'll want to
restart CAPF on the pub and CCM on all nodes. If you can't restart CCM for
operational reasons then I'd skip the CallManager.pem regen step but still
perform the CAPF regen step. We want to make sure we don't have to mess
with any CAPF or LSC regeneration for another 5 years.

Enable security and push LSCs to the phones.

In 4 years and some months you'll get an email telling you the CAPF cert is
about to expire. You also know that all of your LSCs are about to expire.
You can take proactive action to generate a new CAPF cert, run CTL client,
reset phones, and use BAT to push new LSCs to phones.


If this is 8.X you can still regenerate the CAPF.pem, but don't touch the
CallManager.pem unless you have to.

-Jason

On Wed, Jun 20, 2012 at 9:12 AM, Ed Leatherman <ealeatherman at gmail.com>wrote:

> I'm getting ready to install security tokens soon on CM 7.1, and noticed a
> few things while I was pulling my plan together. I was hoping someone might
> know the answer(s)
>
> - While looking around at the existing certs on my cluster (non-secure
> mode right now) I noticed a CAPF.pem on every node, with a different serial
> numbers and CNs. I thought this should only exist on the publisher? Does it
> just ignore the certs on the other nodes when i put the cluster in mixed
> mode?
>
> - Also while poking around - once again, non-secure mode - I noticed all
> the CallManager.pem files have varying expiration dates on them (seems to
> coincide with when I refreshed hardware). Some of them expire as early as
> 2014.. would it be a good idea to refresh the certs now so that they have
> later expiration dates, before I start pushing CTL files out to phones? If
> I do this, do I need to restart the CM service?
>
> Thanks !
>
>
> --
> Ed Leatherman
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20120620/eb8094fc/attachment.html>


More information about the cisco-voip mailing list