[cisco-voip] cisco phone-vpn cert expiration

Thu Jan 30 17:45:22 EST 2014

This can also happen if you used a wildcard cert.

The workaround is to upload the new wildcard cert to a sub's osadmin page.
Then on ccmadmin, both the old and new are available.
On Jan 30, 2014 4:15 PM, "Erick Wellnitz" <ewellnitzvoip at gmail.com> wrote:

> We aren't terribly worried because there are only about 7 of these phones
> out there.  We'll let them have their temper tantrum and then they'll bring
> their phones back.
>
> We've had really bad luck with these phone vpn setups.
>
>
> On Thu, Jan 30, 2014 at 3:07 PM, Brian Meade (brmeade) <brmeade at cisco.com>wrote:
>
>>  What you could do to resolve the phones without bringing them in would
>> be to temporarily set up a NAT with a static IP for one of your TFTP
>> servers just for TFTP traffic and use the Alternate TFTP settings on the
>> phones so they can pull the new config files with the new certificate in
>> them.  But it may be a little risky opening up the TFTP service on one node
>> to the outside world temporarily.
>>
>>
>>
>> *From:* Erick Wellnitz [mailto:ewellnitzvoip at gmail.com]
>> *Sent:* Thursday, January 30, 2014 3:51 PM
>> *To:* Brian Meade (brmeade)
>> *Cc:* cisco-voip
>> *Subject:* Re: [cisco-voip] cisco phone-vpn cert expiration
>>
>>
>>
>> The old one was expired.  That might make the difference.
>>
>>
>>
>>
>>
>>
>>
>> On Thu, Jan 30, 2014 at 2:40 PM, Brian Meade (brmeade) <brmeade at cisco.com>
>> wrote:
>>
>> Erick,
>>
>>
>>
>> It shouldn't have replaced the other VPN-trust in certificate
>> management.    I've done this scenario successfully with many customers.
>> I'll try this in the lab.  It may be due to the same Common Name on the
>> certificate but usually it will just rename the new one to like
>> commonname-1.pem.
>>
>>
>>
>> Thanks,
>>
>> Brian
>>
>>
>>
>> *From:* Erick Wellnitz [mailto:ewellnitzvoip at gmail.com]
>> *Sent:* Thursday, January 30, 2014 3:24 PM
>> *To:* Brian Meade (brmeade)
>> *Cc:* cisco-voip
>> *Subject:* Re: [cisco-voip] cisco phone-vpn cert expiration
>>
>>
>>
>> This dd not work as described.
>>
>>
>>
>> The new cert took the place of the old one in certificate management now
>> if a VPN phone reboots for any reason they cannot reconnect.
>>
>>
>>
>> On Tue, Jan 28, 2014 at 9:27 AM, Brian Meade (brmeade) <brmeade at cisco.com>
>> wrote:
>>
>> Erick,
>>
>>
>>
>> You can add a 2nd cert to the VPN Gateway configuration after you add it
>> as a VPN-Trust.
>>
>>
>>
>> So what you want to do is create a new trustpoint on the ASA with the new
>> certificate, upload that to CUCM as a phone-vpn-trust, and then add it as a
>> 2nd cert to the VPN Gateway.
>>
>>
>>
>> You'll then want to make sure all the VPN phones get reset so they get
>> the new certificate as well.
>>
>>
>>
>> After all the VPN phones have both certificates, you can then change SSL
>> on the ASA to bind to the other trustpoint and start using the new
>> certificate.
>>
>>
>>
>> If you follow that method, you want have to bring any of the VPN phones
>> back in as long as they're connected.  The main problem with this method is
>> some people have VPN phones that they rarely connect so you'll need to make
>> sure everyone connects their phones to get the new certificate before you
>> make the change on the ASA.
>>
>>
>>
>> Brian
>>
>>
>>
>> *From:* cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] *On
>> Behalf Of *Erick Wellnitz
>> *Sent:* Tuesday, January 28, 2014 10:20 AM
>> *To:* cisco-voip
>> *Subject:* [cisco-voip] cisco phone-vpn cert expiration
>>
>>
>>
>> I have a situation I'm sure isn't unique.
>>
>>
>>
>> What happens when I upload a new phone-vpn cert to the CUCM to replace an
>> expired/expiring one?
>>
>>
>>
>> Are vpn phones going to freak out and stop authenticating to the VPN or
>> should everything be smooth sailing?
>>
>>
>>
>>
>>
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20140130/65c6266c/attachment.html>