[cisco-voip] cisco phone-vpn cert expiration

Erick Wellnitz ewellnitzvoip at gmail.com
Thu Jan 30 15:24:23 EST 2014


This dd not work as described.

The new cert took the place of the old one in certificate management now if
a VPN phone reboots for any reason they cannot reconnect.


On Tue, Jan 28, 2014 at 9:27 AM, Brian Meade (brmeade) <brmeade at cisco.com>wrote:

>  Erick,
>
>
>
> You can add a 2nd cert to the VPN Gateway configuration after you add it
> as a VPN-Trust.
>
>
>
> So what you want to do is create a new trustpoint on the ASA with the new
> certificate, upload that to CUCM as a phone-vpn-trust, and then add it as a
> 2nd cert to the VPN Gateway.
>
>
>
> You'll then want to make sure all the VPN phones get reset so they get the
> new certificate as well.
>
>
>
> After all the VPN phones have both certificates, you can then change SSL
> on the ASA to bind to the other trustpoint and start using the new
> certificate.
>
>
>
> If you follow that method, you want have to bring any of the VPN phones
> back in as long as they're connected.  The main problem with this method is
> some people have VPN phones that they rarely connect so you'll need to make
> sure everyone connects their phones to get the new certificate before you
> make the change on the ASA.
>
>
>
> Brian
>
>
>
> *From:* cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] *On Behalf
> Of *Erick Wellnitz
> *Sent:* Tuesday, January 28, 2014 10:20 AM
> *To:* cisco-voip
> *Subject:* [cisco-voip] cisco phone-vpn cert expiration
>
>
>
> I have a situation I'm sure isn't unique.
>
>
>
> What happens when I upload a new phone-vpn cert to the CUCM to replace an
> expired/expiring one?
>
>
>
> Are vpn phones going to freak out and stop authenticating to the VPN or
> should everything be smooth sailing?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20140130/9deba702/attachment.html>


More information about the cisco-voip mailing list