[cisco-voip] cisco phone-vpn cert expiration

Erick Wellnitz ewellnitzvoip at gmail.com
Thu Jan 30 15:50:38 EST 2014 

The old one was expired.  That might make the difference.




On Thu, Jan 30, 2014 at 2:40 PM, Brian Meade (brmeade) <brmeade at cisco.com>wrote:

>  Erick,
>
>
>
> It shouldn't have replaced the other VPN-trust in certificate management.
>   I've done this scenario successfully with many customers.  I'll try this
> in the lab.  It may be due to the same Common Name on the certificate but
> usually it will just rename the new one to like commonname-1.pem.
>
>
>
> Thanks,
>
> Brian
>
>
>
> *From:* Erick Wellnitz [mailto:ewellnitzvoip at gmail.com]
> *Sent:* Thursday, January 30, 2014 3:24 PM
> *To:* Brian Meade (brmeade)
> *Cc:* cisco-voip
> *Subject:* Re: [cisco-voip] cisco phone-vpn cert expiration
>
>
>
> This dd not work as described.
>
>
>
> The new cert took the place of the old one in certificate management now
> if a VPN phone reboots for any reason they cannot reconnect.
>
>
>
> On Tue, Jan 28, 2014 at 9:27 AM, Brian Meade (brmeade) <brmeade at cisco.com>
> wrote:
>
> Erick,
>
>
>
> You can add a 2nd cert to the VPN Gateway configuration after you add it
> as a VPN-Trust.
>
>
>
> So what you want to do is create a new trustpoint on the ASA with the new
> certificate, upload that to CUCM as a phone-vpn-trust, and then add it as a
> 2nd cert to the VPN Gateway.
>
>
>
> You'll then want to make sure all the VPN phones get reset so they get the
> new certificate as well.
>
>
>
> After all the VPN phones have both certificates, you can then change SSL
> on the ASA to bind to the other trustpoint and start using the new
> certificate.
>
>
>
> If you follow that method, you want have to bring any of the VPN phones
> back in as long as they're connected.  The main problem with this method is
> some people have VPN phones that they rarely connect so you'll need to make
> sure everyone connects their phones to get the new certificate before you
> make the change on the ASA.
>
>
>
> Brian
>
>
>
> *From:* cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] *On Behalf
> Of *Erick Wellnitz
> *Sent:* Tuesday, January 28, 2014 10:20 AM
> *To:* cisco-voip
> *Subject:* [cisco-voip] cisco phone-vpn cert expiration
>
>
>
> I have a situation I'm sure isn't unique.
>
>
>
> What happens when I upload a new phone-vpn cert to the CUCM to replace an
> expired/expiring one?
>
>
>
> Are vpn phones going to freak out and stop authenticating to the VPN or
> should everything be smooth sailing?
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20140130/ad397bf2/attachment.html>

More information about the cisco-voip mailing list