[cisco-voip] Couple misc. CTL/certificate questions...

Ed Leatherman ealeatherman at gmail.com
Wed Jun 20 13:37:48 EDT 2012


Jason,

Thanks for the reply! That was exactly what I was looking/hoping for. I
will just regenerate the certs and reset CCM prior to setting up security
to get the certs refreshed, and then again after I'm done to push the
changes out.

Ed


On Wed, Jun 20, 2012 at 12:18 PM, Jason Burns <burns.jason at gmail.com> wrote:

> Ed,
>
> Good catch on the CAPF certs on every node. You're right that they just
> get ignored on the subscriber nodes. I'm not sure myself what function they
> serve as the only useful CAPF cert is the one from the publisher.
>
> Since you're on 7.X and you're about to enable security but this isn't a
> new install, I would definitely recommend taking a look at all of your
> certificate expiration dates. They're typically 5 years from creation for
> the self signed certificates (install date). Personally, I would regenerate:
>
> CAPF.pem - Publisher
> CallManager.pem - All Nodes
>
> before I enabled security with the CTL client and USB tokens. This means
> you'd have 5 years before ever having to worry about running the CTL client
> again for certificate expiration. You may have to run it again if you
> changed other things that  regenerated certs (host name change), and it's
> easy to run again, but why worry about it. You'll also have 5 years before
> CAPF expires, which gives you a guaranteed 5 year life time before worrying
> about any LSCs signed by this CAPF (since the LSC is what gets pushed to
> the phones and they're signed by CAPF).
>
> Now is also a good time to point the cluster to an SMTP email server, as
> well as populate an email address in the Certificate Monitor fields in OS
> Administration. This will notify someone before that 5 year timer pops.
>
> Once you've regenerated CAPF and CallManager certificates you'll want to
> restart CAPF on the pub and CCM on all nodes. If you can't restart CCM for
> operational reasons then I'd skip the CallManager.pem regen step but still
> perform the CAPF regen step. We want to make sure we don't have to mess
> with any CAPF or LSC regeneration for another 5 years.
>
> Enable security and push LSCs to the phones.
>
> In 4 years and some months you'll get an email telling you the CAPF cert
> is about to expire. You also know that all of your LSCs are about to
> expire. You can take proactive action to generate a new CAPF cert, run CTL
> client, reset phones, and use BAT to push new LSCs to phones.
>
>
> If this is 8.X you can still regenerate the CAPF.pem, but don't touch the
> CallManager.pem unless you have to.
>
> -Jason
>
> On Wed, Jun 20, 2012 at 9:12 AM, Ed Leatherman <ealeatherman at gmail.com>wrote:
>
>> I'm getting ready to install security tokens soon on CM 7.1, and noticed
>> a few things while I was pulling my plan together. I was hoping someone
>> might know the answer(s)
>>
>> - While looking around at the existing certs on my cluster (non-secure
>> mode right now) I noticed a CAPF.pem on every node, with a different serial
>> numbers and CNs. I thought this should only exist on the publisher? Does it
>> just ignore the certs on the other nodes when i put the cluster in mixed
>> mode?
>>
>> - Also while poking around - once again, non-secure mode - I noticed all
>> the CallManager.pem files have varying expiration dates on them (seems to
>> coincide with when I refreshed hardware). Some of them expire as early as
>> 2014.. would it be a good idea to refresh the certs now so that they have
>> later expiration dates, before I start pushing CTL files out to phones? If
>> I do this, do I need to restart the CM service?
>>
>> Thanks !
>>
>>
>> --
>> Ed Leatherman
>>
>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>>
>


-- 
Ed Leatherman
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20120620/7ac284ae/attachment.html>


More information about the cisco-voip mailing list