[cisco-voip] Certificates expires - what happens next?

Brian Meade bmeade90 at vt.edu
Mon May 4 14:59:01 EDT 2015


Right, you don't want to be just regenerating all of the certs on a
non-mixed-mode cluster with CTL.

For what to do in that situation, it depends on if the LSCs are already
expired or not.  If you still have time, just get the certs updated and
re-issue new LSCs using CAPF.  If the phones are already unregistered, you
can do the same thing or change the security profiles to non-secure like
you mentioned to get you to a maintenance window.

Any time you regenerate a CallManager/CAPF/TVS certificate on any node in
8.6 and above, all phones will reset so be aware of that since your secure
phones will then try to re-register right then and won't be able to until
you finish the whole process of updating the certs and pushing new LSCs.

On Mon, May 4, 2015 at 1:42 PM, Ryan Ratliff (rratliff) <rratliff at cisco.com>
wrote:

>  Turning off security would get the phones registered but if you regen
> all your certs at the same time you will strand your phones on an ITL that
> can't be updated. If you have CTLs signed by etokens you will probably be
> ok one you rerun the CTL client.
>
>  This is why you configure certificate notification and act on it. Do
> your CallManager cert in one maint window, make sure your phones all reset
> and update their ITLs. Then do tomcat and the rest.
>
>  Ryan
>
> Sent from my iPhone
>
> On May 4, 2015, at 1:16 PM, Justin Steinberg <jsteinberg at gmail.com> wrote:
>
>   brian - if you find yourself in this situation, how do you fix it ?
>  turn off the security profile on the phone so it is no longer required to
> authentication and then update the phone certs and re-enable the security
> profile ?
>
> On Mon, May 4, 2015 at 12:44 PM, Brian Meade <bmeade90 at vt.edu> wrote:
>
>> Nothing really stops working besides certificate warnings in the
>> browser.  The phones don't check validity dates.  Only issue with a secure
>> cluster is the CAPF on the publisher expiring since it signed all of the
>> LSCs on the phones.  CallManager service will care about those being
>> expired and they won't be able to re-register if they are reset.
>>
>>
>>  On Mon, May 4, 2015 at 11:09 AM, Reto Gassmann <voip at mrga.ch> wrote:
>>
>>>  Hello Group
>>>
>>>  I am just curious what happens, when certificates on an CUCM cluster
>>> expire. We run a UCM cluster 9.1.2 in Mix Mode with 8 UCM server and 2 CUPS
>>> server.
>>>
>>>  What happens if one or all of the following certificates expire:
>>> CallManager.pem, ipsec.pem, tomcat.pem or CAPF.pem and the according -trust
>>> certificates.
>>>
>>>  Will the UCM cluster stop working, DB replication issues or will I
>>> have error messages on the phones?
>>>
>>>  Thanks for your thoughts
>>> Regards Reto
>>>
>>>  _______________________________________________
>>> cisco-voip mailing list
>>> cisco-voip at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>
>>>
>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>>
>   _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150504/325a23f0/attachment.html>


More information about the cisco-voip mailing list