[cisco-voip] re-genarate certifications

Ryan Huff ryanhuff at outlook.com
Fri Jun 23 13:05:23 EDT 2017


So maybe then CUCM should be able to ssh into the default gateway of each phone segment and bounce the POE services? LOL ... I understand how ridiculous that sounded.

I can definitely see the challenges with that! At the very least, it couldn't be a completely automated process and would have to have some sort of manual intervention.

Sent from my iPhone

On Jun 23, 2017, at 1:00 PM, Ryan Ratliff (rratliff) <rratliff at cisco.com<mailto:rratliff at cisco.com>> wrote:

The signing of the CTL and ITL is easy to fix.

The bigger problem is the automatic phone reset.
-Ryan

On Jun 23, 2017, at 12:58 PM, Ryan Huff <ryanhuff at outlook.com<mailto:ryanhuff at outlook.com>> wrote:

I suspect that would just obliterate CTL every time certbot runs the renewal ... every 3 months all phones reject registration... fun stuff.

I suspect there would have to be a fundamental change with TVS and the SBD architecture.

-Ryan

On Jun 23, 2017, at 12:44 PM, Ryan Ratliff (rratliff) <rratliff at cisco.com<mailto:rratliff at cisco.com>> wrote:

Letsencrypt has 90-day certificates and they auto-renew at 60 days (IIRC).

If you think that’s ok for a CUCM you really need to come listen to me on Monday morning.

-Ryan

On Jun 23, 2017, at 12:15 PM, Charles Goldsmith <wokka at justfamily.org<mailto:wokka at justfamily.org>> wrote:

Nothing has been announced about it that I'm aware of, but it would be awesome if they did.  It only makes sense since Cisco is a major sponsor of Let's Encrypt.

CUCM, CUC, UCCX, IM&P and Expressway should be the priority in my mind :)  After that, CIMC (updated for all m3 and higher hosts of course), and after that, you can throw a bone to the security, wireless and R&S groups...

On Fri, Jun 23, 2017 at 10:11 AM, Heim, Dennis <Dennis.Heim at wwt.com<mailto:Dennis.Heim at wwt.com>> wrote:
Is 12.x going to support ACME?

Dennis Heim | Emerging Technology Architect (Collaboration)
World Wide Technology, Inc. | +1 314-212-1814<tel:(314)%20212-1814>
<image001.gif><https://twitter.com/CollabSensei>
<image002.gif><image003.gif><tel:+13142121814><image004.gif>
"Worry less about who you might offend, and more about who you might inspire" -- Tim Allen
“When you have unlimited time, its easy” – Captain Chesley Sullenberger
“There is a fine line between Wrong and Visionary. Unfortunately, you have to be a visionary to see it." – Sheldon Cooper
“The greatest danger for most of us is not that our aim is too high and we miss it, but that it is too low and we reach it.” -- Michelangelo Buonarroti
“We should transform the way we work” – Rowan Trollope
“If you’re not failing every now and again, it’s a sign you’re not doing anything very innovative” – Woody Allen

Click here to join me in my Collaboration Meeting Room<https://wwt.webex.com/meet/dennis.heim>

From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net<mailto:cisco-voip-bounces at puck.nether.net>] On Behalf Of Anthony Holloway
Sent: Thursday, June 22, 2017 1:00 PM
To: Ryan Ratliff (rratliff) <rratliff at cisco.com<mailto:rratliff at cisco.com>>
Cc: cisco-voip voyp list <cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>>
Subject: Re: [cisco-voip] re-genarate certifications

Like how 12.0 seamlessly integrates with https://letsencrypt.org/?

On Thu, Jun 22, 2017 at 11:31 AM Ryan Ratliff (rratliff) <rratliff at cisco.com<mailto:rratliff at cisco.com>> wrote:
Since I have the bright and way-too-early Monday 8AM slot this year I need all the advertisement I can get :)

The deck got a big overhaul for Berlin this year and next week won’t be much different than the recording I linked to earlier, though I do get to talk about some cool stuff coming in 12.0.

-Ryan

On Jun 22, 2017, at 12:21 PM, Anthony Holloway <avholloway+cisco-voip at gmail.com<mailto:avholloway+cisco-voip at gmail.com>> wrote:

Geez Philip! Way to be pushy about your session!  ;)

I was in this session (sitting behind Josh Warcop of all people) and it was really informative.  It was at the time when multi-server Tomcat certificates were just coming out and the session really helped prepare me for that new feature.

On Thu, Jun 22, 2017 at 8:34 AM Ryan Ratliff (rratliff) <rratliff at cisco.com<mailto:rratliff at cisco.com>> wrote:
I would highly recommend checking out https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=93902&backBtn=true.
(BRKUCC-2501 from ciscolive365.com<http://ciscolive365.com/> if that link does not work).

Yes, it’s my session but with CLUS next week hopefully nobody minds the plug.

-Ryan

On Jun 21, 2017, at 8:02 PM, erik.anderson.85 at gmail.com<mailto:erik.anderson.85 at gmail.com> wrote:

Take a look at the link below, it walks through what each cert does so it should help you understand the impacts. From my experience working with non-secured clusters you need to do one cert at a time to allow CUCM to push out that cert to the phones. Since the phones essentially use 2 certs trust CUCM you can regen them in stages.

http://www.cisco.com/image/gif/paws/117299/117299-problemsolution-product-00.pdf

-Erik Anderson

From: Samadi boukil<mailto:boukilsamadi at gmail.com>
Sent: Wednesday, June 21, 2017 6:32 PM
To: cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: [cisco-voip] re-genarate certifications

Hi,
I want to know about the ampact(s) of re-generation of certifications on CUCM 8.x (call manager in Mode secure).
thanks.

--
SAMADI Boukil
Élève Ingénieur
Génie Télécommunications & Réseaux
[https://docs.google.com/uc?export=download&id=0B_xjs74PFblZS01PWV91S01WWXM&revid=0B_xjs74PFblZYkhMeVRWYkdhZ2tIN3lHaG5NK3RMZWIrRlRNPQ]Profile LinkdeIn<https://www.linkedin.com/in/boukil-samadi>
[https://docs.google.com/uc?export=download&id=0B_xjs74PFblZWU9hNzB0cDQwblE&revid=0B_xjs74PFblZZ1M3b2JBTFp0MjVJL2orUE1OcmZHRStwUE1VPQ]+212696184254<tel:+212%20696-184254>

_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip

_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip


_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip



_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20170623/91a4a0ba/attachment.html>


More information about the cisco-voip mailing list