[cisco-voip] [EXT] Re: How to handle expired Phone-VPN-trust, phone-SAST-trust, other certificates

Daniel Pagan dpagan at fidelus.com
Thu Oct 25 09:09:09 EDT 2018


In your example, the SERVER2 certificate in phone-vpn-trust is there because someone would have placed it there for some reason. Some additional info... certificates uploaded to the phone-vpn-trust store can be associated with a VPN gateway in /ccmadmin. When assigned to a VPN-enabled phone through a common phone profile, a hash of the certificate is provided to the phone in its .cnf file. This certificate would/should be the same SSL cert assigned to the VPN gateway(s) configured. During the TLS handshake between the phone and the ASA, the phone compares the SHA1 hash of the identity certificate it receives with the hash contained in its previously downloaded config file.

With that said -
Why is there SERVER2.DER in the phone-vpn-trust store?
DP: Likely someone placed it there.

Is this expected?
DP: Not by default.

Does a phone contact SERVER2 while using the Phone VPN?
DP: Only if SERVER2 is the VPN gateway. The phone uses the VPN gateway URL to determine where to connect, then compares the certificate hash during TLS negotiation.

Is there by default, or someone added, even by mistake?
DP: Added and (if SERVER2 is a UC server) likely by mistake.

Hope this helps.

- Dan


From: cisco-voip <cisco-voip-bounces at puck.nether.net> On Behalf Of ROZA, Ariel
Sent: Tuesday, October 23, 2018 11:52 AM
To: James Andrewartha <jandrewartha at ccgs.wa.edu.au>; cisco-voip at puck.nether.net
Subject: [EXT] Re: [cisco-voip] How to handle expired Phone-VPN-trust, phone-SAST-trust, other certificates

My main issue is not about the deletion process, but about the purpose and usefulness of each of those certificates. Being able to judge if it is good to delete or not certain certificates (even when expired).

I have this guide:
https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/200199-CUCM-Certificate-Regeneration-Renewal-Pr.htm

that gives a description of the purpose of each store, but it does not give specifics on why is there a particular  certificate in a store. Ie. Why is there SERVER2.DER in the phone-vpn-trust store? Is this expected? Does a phone contact SERVER2 while using the Phone VPN? Is there by default, or someone added, even by mistake?

And the expired certs that I have are not some that are renewable. All of them are in -trust stores.

So I am quite puzzled about them.

De: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] En nombre de James Andrewartha
Enviado el: martes, 23 de octubre de 2018 12:39 a.m.
Para: cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Asunto: Re: [cisco-voip] How to handle expired Phone-VPN-trust, phone-SAST-trust, other certificates

And if you have any problems deleting them (I had one that just would not go away and gave me alarms for years), just call TAC and they'll take you through the SQL to kill them permanently.

On 23/10/18 03:08, NateCCIE wrote:
The expired certs will throw alarms even if they have been superseded by newer certs.

So during a maintenance window, renew anything that is expired, and just delete all the old ones.  The newer versions of cucm make this easier by being able to sort by expiration date.

-Nate

From: cisco-voip <cisco-voip-bounces at puck.nether.net><mailto:cisco-voip-bounces at puck.nether.net> On Behalf Of ROZA, Ariel
Sent: Monday, October 22, 2018 11:52 AM
To: cisco-voip (cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>) <cisco-voip at puck.nether.net><mailto:cisco-voip at puck.nether.net>
Subject: [cisco-voip] How to handle expired Phone-VPN-trust, phone-SAST-trust, other certificates

Hi, guys!

I have a customer that is receiving alarms over some expired certificates, and I would like to know which is the best way to handle them.
The certs are loaded in SERVER1 and all named SERVER2.der, except the CAPF ones.
<servername>.der in phone-vpn-trust.
<servername> .der in phone-trust
<servername>.der in phone-SAST-trust
<servername>.der in phone-CTL-trust
And several CAPF-xxxxxx.der in Callmanager-trust

So far I have dealt with renewing Callmanager, TFTP and TVS cert, but I always kept clear from those other certs
Shoud I delete them, shoud I keep them, even as they are expired and throwing alarms?


Regards.


Ariel Roza
Collaboration Support Engineer
t: +54 11 5282-0458
c: +54 9 11 5017-4417 webex: http://logicalis-la.webex.com/join/ariel.roza<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flogicalis-la.webex.com%2Fjoin%2Fariel.roza&data=02%7C01%7Cariel.roza%40la.logicalis.com%7C42e5247c66914b1d315c08d638992622%7C2e3290cb8d404058abe502c4f58b87e3%7C0%7C0%7C636758627765789267&sdata=cqchqbY98HGTZ4rDIEBWzaoBX2dPJkE8dCnqeu%2BmSXA%3D&reserved=0>
Av. Belgrano 955 - Piso 20 - CABA - Argentina - C1092AAJ
www.la.logicalis.com<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.la.logicalis.com%2F&data=02%7C01%7Cariel.roza%40la.logicalis.com%7C42e5247c66914b1d315c08d638992622%7C2e3290cb8d404058abe502c4f58b87e3%7C0%7C0%7C636758627765789267&sdata=gJhPidfXD%2BeH0mg8xm0p1NRM7RmDRZ%2BWZouhlcUEgFE%3D&reserved=0>
_________________________________________________
Business and technology working as one
[cid:image003.png at 01D3894B.346BF840]

[cid:image005.png at 01D3894B.43930F20]

[cid:image003.jpg at 01D46C40.AF7C4250][Descripción: Descripción: Descripción:                    Descripción: Descripción: Descripción: Descripción:                    Descripción: Descripción: Descripción: Descripción:                    Descripción: Descripción: Descripción: Descripción:                    Descripción: tw]<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftwitter.com%2FLogicalisLatam&data=02%7C01%7Cariel.roza%40la.logicalis.com%7C42e5247c66914b1d315c08d638992622%7C2e3290cb8d404058abe502c4f58b87e3%7C0%7C0%7C636758627765789267&sdata=S2AHX%2Bxshq4krLr54BNC6j7ih6d%2BvETh2QPhtf4BK7g%3D&reserved=0> [Descripción: Descripción: Descripción:                    Descripción: Descripción: Descripción: Descripción:                    Descripción: Descripción: Descripción: Descripción:                    Descripción: Descripción: Descripción: Descripción:                    Descripción: fb] <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fes-es.facebook.com%2Fpages%2FLogicalis-Latam%2F234648439078&data=02%7C01%7Cariel.roza%40la.logicalis.com%7C42e5247c66914b1d315c08d638992622%7C2e3290cb8d404058abe502c4f58b87e3%7C0%7C0%7C636758627765789267&sdata=LEgXTk5yp6f2at0cHQ3oAARRsdStH6SZooGkmWZPCuQ%3D&reserved=0>  [Descripción: Descripción: Descripción:                    Descripción: Descripción: Descripción: Descripción:                    Descripción: Descripción: Descripción: Descripción:                    Descripción: Descripción: Descripción: Descripción:                    Descripción: yt] <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.youtube.com%2Flogicalislatam&data=02%7C01%7Cariel.roza%40la.logicalis.com%7C42e5247c66914b1d315c08d638992622%7C2e3290cb8d404058abe502c4f58b87e3%7C0%7C0%7C636758627765789267&sdata=zH3Z3qakossmepmjj3PIwFNfVi1zlfEdIhf5OM3stRg%3D&reserved=0>

Logicalis Argentina S.A. solo puede ser obligado por sus representantes legales conforme los límites establecidos en el acto constitutivo y la legislación en vigor.
El contenido del presente correo electrónico e inclusive sus anexos contienen información confidencial.
El mismo no puede ser divulgado y/o utilizado por cualquiera otro distinto al destinatario, ni puede ser copiado de cualquier forma.






_______________________________________________

cisco-voip mailing list

cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>

https://puck.nether.net/mailman/listinfo/cisco-voip<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-voip&data=02%7C01%7Cariel.roza%40la.logicalis.com%7C42e5247c66914b1d315c08d638992622%7C2e3290cb8d404058abe502c4f58b87e3%7C0%7C0%7C636758627765789267&sdata=dMXCZhW5XIfGfzcarRm3%2BCaMeXKCYiMCn1lxmHkI2u8%3D&reserved=0>



--

James Andrewartha

Network & Projects Engineer

Christ Church Grammar School

Claremont, Western Australia

Ph. (08) 9442 1757

Mob. 0424 160 877
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20181025/8060b195/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 5832 bytes
Desc: image001.png
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20181025/8060b195/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 14260 bytes
Desc: image002.png
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20181025/8060b195/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 1215 bytes
Desc: image003.jpg
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20181025/8060b195/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 1468 bytes
Desc: image004.png
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20181025/8060b195/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 1384 bytes
Desc: image005.png
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20181025/8060b195/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image006.png
Type: image/png
Size: 1470 bytes
Desc: image006.png
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20181025/8060b195/attachment-0004.png>


More information about the cisco-voip mailing list