[cisco-voip] CUCM Certificate question

Brian Meade bmeade90 at vt.edu
Tue Jul 1 15:46:20 EDT 2014 

On 7.x as long as you're not on a mixed mode cluster, re-generate any certs
to your hearts desire and just reboot the nodes to restart all services.

Sometimes I've seen the ipsec-trust not get updated automatically on the
other nodes which may require some manual iuntervention.

You can check the Cluster Security Mode under System->Enterprise
Parameters.  0 is on-secure. 1 is mixed-mode.

Brian


On Tue, Jul 1, 2014 at 12:04 PM, Corson, Teressa <Teressa.Corson at doit.nh.gov
> wrote:

>  Hi, I hope someone might be able to help me on this.
>
>
>
> I have a CUCM 7.1.5 cluster and several certificates are expiring tomorrow
> (CAPF-trust, CallManager-trust, ipsec-trust, CAPF, CallManager, ipsec,
> tomcat).  The latter 4 were self-signed and I was able to regenerate them
> to renew the expiration date.  After doing that on both pub and one sub
> (the other sub doesn’t show them expiring), I restarted tomcat.  I later
> noted that the CAPF-trust, CallManager-trust, ipsec-trust certs now also
> have a new date equal to those I regenerated.  The CAPF-trust and
> CallManager-trust actually show up on two new lines in the GUI; so the old
> cert is there and the new one is too.
>
> From what I’m reading online, it appears that I still have other steps to
> complete in order to direct CUCM to use the new certs.  This is where I
> need assistance.  I read some steps online that said “Run the CTL client
> and update CTL” but I do not know what that means.  I downloaded the CTL
> Client plugin and, after finding an old 32-bit laptop, was able to install
> it there.  Now, I’m not sure where to go from here.
>
> Our phones don’t use a secure mode as far as I can tell.  Security Setup
> shows Security Mode = Non Secure and LSC = Not Installed.  Trust List menu
> shows no CTL or ITL file installed, but it does say “Configuration
> (signed).”
>
>
>
> Am I headed down the right path?  What should I be expecting from the CTL
> Client?  Or is there something different that I need to do to have the CUCM
> use the new certs?
>
>
> Thanks.
>
>
> T.
>
>
>
> Teressa Corson, CCNP, CCDA, CCNP-Voice
>
> TSS VI, Operations
>
> Network Operations
>
> State of NH, Department of Information Technology
>
> 603-223-5727
>
> www.nh.gov/doit
>
>
>
> Statement of Confidentiality:  The contents of this message are
> confidential.  Any unauthorized disclosure, reproduction, use or
> dissemination (either in whole or in part) is prohibited.  If you are not
> the intended recipient of this message, please notify the sender
> immediately and delete the message from your system.
>
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20140701/3b45735d/attachment.html>

More information about the cisco-voip mailing list