[cisco-voip] How to handle expired Phone-VPN-trust, phone-SAST-trust, other certificates

ROZA, Ariel Ariel.ROZA at LA.LOGICALIS.COM
Tue Oct 23 11:51:39 EDT 2018


My main issue is not about the deletion process, but about the purpose and usefulness of each of those certificates. Being able to judge if it is good to delete or not certain certificates (even when expired).

I have this guide:
https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/200199-CUCM-Certificate-Regeneration-Renewal-Pr.htm

that gives a description of the purpose of each store, but it does not give specifics on why is there a particular  certificate in a store. Ie. Why is there SERVER2.DER in the phone-vpn-trust store? Is this expected? Does a phone contact SERVER2 while using the Phone VPN? Is there by default, or someone added, even by mistake?

And the expired certs that I have are not some that are renewable. All of them are in -trust stores.

So I am quite puzzled about them.

De: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] En nombre de James Andrewartha
Enviado el: martes, 23 de octubre de 2018 12:39 a.m.
Para: cisco-voip at puck.nether.net
Asunto: Re: [cisco-voip] How to handle expired Phone-VPN-trust, phone-SAST-trust, other certificates

And if you have any problems deleting them (I had one that just would not go away and gave me alarms for years), just call TAC and they'll take you through the SQL to kill them permanently.

On 23/10/18 03:08, NateCCIE wrote:
The expired certs will throw alarms even if they have been superseded by newer certs.

So during a maintenance window, renew anything that is expired, and just delete all the old ones.  The newer versions of cucm make this easier by being able to sort by expiration date.

-Nate

From: cisco-voip <cisco-voip-bounces at puck.nether.net><mailto:cisco-voip-bounces at puck.nether.net> On Behalf Of ROZA, Ariel
Sent: Monday, October 22, 2018 11:52 AM
To: cisco-voip (cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>) <cisco-voip at puck.nether.net><mailto:cisco-voip at puck.nether.net>
Subject: [cisco-voip] How to handle expired Phone-VPN-trust, phone-SAST-trust, other certificates

Hi, guys!

I have a customer that is receiving alarms over some expired certificates, and I would like to know which is the best way to handle them.
The certs are loaded in SERVER1 and all named SERVER2.der, except the CAPF ones.
<servername>.der in phone-vpn-trust.
<servername> .der in phone-trust
<servername>.der in phone-SAST-trust
<servername>.der in phone-CTL-trust
And several CAPF-xxxxxx.der in Callmanager-trust

So far I have dealt with renewing Callmanager, TFTP and TVS cert, but I always kept clear from those other certs
Shoud I delete them, shoud I keep them, even as they are expired and throwing alarms?


Regards.


Ariel Roza
Collaboration Support Engineer
t: +54 11 5282-0458
c: +54 9 11 5017-4417 webex: http://logicalis-la.webex.com/join/ariel.roza<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flogicalis-la.webex.com%2Fjoin%2Fariel.roza&data=02%7C01%7Cariel.roza%40la.logicalis.com%7C42e5247c66914b1d315c08d638992622%7C2e3290cb8d404058abe502c4f58b87e3%7C0%7C0%7C636758627765789267&sdata=cqchqbY98HGTZ4rDIEBWzaoBX2dPJkE8dCnqeu%2BmSXA%3D&reserved=0>
Av. Belgrano 955 - Piso 20 - CABA - Argentina - C1092AAJ
www.la.logicalis.com<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.la.logicalis.com%2F&data=02%7C01%7Cariel.roza%40la.logicalis.com%7C42e5247c66914b1d315c08d638992622%7C2e3290cb8d404058abe502c4f58b87e3%7C0%7C0%7C636758627765789267&sdata=gJhPidfXD%2BeH0mg8xm0p1NRM7RmDRZ%2BWZouhlcUEgFE%3D&reserved=0>
_________________________________________________
Business and technology working as one
[cid:image003.png at 01D3894B.346BF840]

[cid:image005.png at 01D3894B.43930F20]

[cid:image003.jpg at 01D46ACF.21A234C0][Descripción: Descripción: Descripción:                    Descripción: Descripción: Descripción: Descripción:                    Descripción: Descripción: Descripción: Descripción:                    Descripción: Descripción: Descripción: Descripción:                    Descripción: tw]<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftwitter.com%2FLogicalisLatam&data=02%7C01%7Cariel.roza%40la.logicalis.com%7C42e5247c66914b1d315c08d638992622%7C2e3290cb8d404058abe502c4f58b87e3%7C0%7C0%7C636758627765789267&sdata=S2AHX%2Bxshq4krLr54BNC6j7ih6d%2BvETh2QPhtf4BK7g%3D&reserved=0> [Descripción: Descripción: Descripción:                    Descripción: Descripción: Descripción: Descripción:                    Descripción: Descripción: Descripción: Descripción:                    Descripción: Descripción: Descripción: Descripción:                    Descripción: fb] <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fes-es.facebook.com%2Fpages%2FLogicalis-Latam%2F234648439078&data=02%7C01%7Cariel.roza%40la.logicalis.com%7C42e5247c66914b1d315c08d638992622%7C2e3290cb8d404058abe502c4f58b87e3%7C0%7C0%7C636758627765789267&sdata=LEgXTk5yp6f2at0cHQ3oAARRsdStH6SZooGkmWZPCuQ%3D&reserved=0>  [Descripción: Descripción: Descripción:                    Descripción: Descripción: Descripción: Descripción:                    Descripción: Descripción: Descripción: Descripción:                    Descripción: Descripción: Descripción: Descripción:                    Descripción: yt] <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.youtube.com%2Flogicalislatam&data=02%7C01%7Cariel.roza%40la.logicalis.com%7C42e5247c66914b1d315c08d638992622%7C2e3290cb8d404058abe502c4f58b87e3%7C0%7C0%7C636758627765789267&sdata=zH3Z3qakossmepmjj3PIwFNfVi1zlfEdIhf5OM3stRg%3D&reserved=0>

Logicalis Argentina S.A. solo puede ser obligado por sus representantes legales conforme los límites establecidos en el acto constitutivo y la legislación en vigor.
El contenido del presente correo electrónico e inclusive sus anexos contienen información confidencial.
El mismo no puede ser divulgado y/o utilizado por cualquiera otro distinto al destinatario, ni puede ser copiado de cualquier forma.





_______________________________________________

cisco-voip mailing list

cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>

https://puck.nether.net/mailman/listinfo/cisco-voip<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-voip&data=02%7C01%7Cariel.roza%40la.logicalis.com%7C42e5247c66914b1d315c08d638992622%7C2e3290cb8d404058abe502c4f58b87e3%7C0%7C0%7C636758627765789267&sdata=dMXCZhW5XIfGfzcarRm3%2BCaMeXKCYiMCn1lxmHkI2u8%3D&reserved=0>



--

James Andrewartha

Network & Projects Engineer

Christ Church Grammar School

Claremont, Western Australia

Ph. (08) 9442 1757

Mob. 0424 160 877
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20181023/d6a1f5a2/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 5832 bytes
Desc: image001.png
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20181023/d6a1f5a2/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 14260 bytes
Desc: image002.png
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20181023/d6a1f5a2/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 1215 bytes
Desc: image003.jpg
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20181023/d6a1f5a2/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 1468 bytes
Desc: image004.png
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20181023/d6a1f5a2/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 1384 bytes
Desc: image005.png
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20181023/d6a1f5a2/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image006.png
Type: image/png
Size: 1470 bytes
Desc: image006.png
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20181023/d6a1f5a2/attachment-0004.png>


More information about the cisco-voip mailing list