[cisco-voip] Certificates expires - what happens next?

Ryan Ratliff (rratliff) rratliff at cisco.com
Mon May 4 13:42:18 EDT 2015


Turning off security would get the phones registered but if you regen all your certs at the same time you will strand your phones on an ITL that can't be updated. If you have CTLs signed by etokens you will probably be ok one you rerun the CTL client.

This is why you configure certificate notification and act on it. Do your CallManager cert in one maint window, make sure your phones all reset and update their ITLs. Then do tomcat and the rest.

Ryan

Sent from my iPhone

On May 4, 2015, at 1:16 PM, Justin Steinberg <jsteinberg at gmail.com<mailto:jsteinberg at gmail.com>> wrote:

brian - if you find yourself in this situation, how do you fix it ?    turn off the security profile on the phone so it is no longer required to authentication and then update the phone certs and re-enable the security profile ?

On Mon, May 4, 2015 at 12:44 PM, Brian Meade <bmeade90 at vt.edu<mailto:bmeade90 at vt.edu>> wrote:
Nothing really stops working besides certificate warnings in the browser.  The phones don't check validity dates.  Only issue with a secure cluster is the CAPF on the publisher expiring since it signed all of the LSCs on the phones.  CallManager service will care about those being expired and they won't be able to re-register if they are reset.


On Mon, May 4, 2015 at 11:09 AM, Reto Gassmann <voip at mrga.ch<mailto:voip at mrga.ch>> wrote:
Hello Group

I am just curious what happens, when certificates on an CUCM cluster expire. We run a UCM cluster 9.1.2 in Mix Mode with 8 UCM server and 2 CUPS server.

What happens if one or all of the following certificates expire: CallManager.pem, ipsec.pem, tomcat.pem or CAPF.pem and the according -trust certificates.

Will the UCM cluster stop working, DB replication issues or will I have error messages on the phones?

Thanks for your thoughts
Regards Reto

_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip



_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip


_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150504/9e05566c/attachment.html>


More information about the cisco-voip mailing list