McDewey

Multi-vendor documentation library · semantic search · MCP endpoint at /mcp

Page 11

↗ View in doc context
page
11
source
cucm/v15/certificate-regeneration/certificate-regeneration.md
chunk_id
cucm::v15::certificate-regeneration::certificate-regeneration::11

Search for Device Name begins with SEP > Next > Reset Phones > Run Immediately. ○ The phones now reset. Monitor their actions via RTMT tool to ensure the reset was successful and that devices register back to CUCM. Wait for the phone registration to complete before you proceed to next certificate. This process of phones registration can take some time. Be advised, devices that had bad ITLs prior to regeneration process do not register back to the cluster until ITL is remove. ITLRecovery Certificate Note: The ITLRecovery Certificate is used when devices lose their trusted status. The certificate appears in both the ITL and CTL (when CTL provider is active, Cisco bug IDCSCwf85275). Beginning in 12.5+, the ITLRecovery is a single certificate generated by the publisher and distributed to the subscribers. If devices lose their trust status, you can use the command utils itl reset localkey for non-secure clusters and the command utils ctl reset localkey for mix-mode clusters. Read the security guide for your Call Manager version to become familiar with how the ITLRecovery certificate is used and the process required to recover trusted status. If the cluster has been upgraded to a version that supports a key length of 2048, and the clusters server certificates have been regenerated to 2048, and the ITLRecovery has not been regenerated and is currently 1024 key length, the ITL recovery command fails and the ITLRecovery method is not used. Navigate to each server in your cluster (in separate tabs of your web browser) begin with the publisher, then each subscriber. Navigate to Cisco Unified OS Administration > Security > Certificate Management > Find. Select the ITLRecovery pem Certificate. • Once open, select Regenerate and wait until you see the Success pop-up then close pop-up or go back and select Find/List. • 1. After ITLRecovery has been regenerated the ITLRecovery certificate, services need to be restarted. If cluster is in Mixed-Mode or the CTL is being used for 802.1X, you must update the CTL before you proceed further. Log into the CLI of the Publisher and enter the command utils ctl update CTLFile. ○ Reset all encrypted and authenticated phones for the CTL file update to take affect. ○ • Log into Publisher Cisco Unified Serviceability. Navigate to Cisco Unified Serviceability > Tools > Control Center - Network Services. ○ On the publisher, select Restart on Cisco Trust Verification Service. ○ • Once the service restart completes, continue with the subscribers and restart the Cisco Trust Verification Service. • 2. Begin with the Publisher, then continue with the subscribers, restart Cisco TFTP Service where status shows Started. 3. Reboot all Phones: Option 1 • Cisco Unified CM Administration > System > Enterprise Parameters Select Reset, then you see a pop-up with the statement "You are about to reset all devices in the system. This action cannot be undone. Continue?",select OK, and then select Reset. ○ This method resets ALL components in Call Manager. ○ • Option 2 • Cisco Unified CM Administration > Bulk Administration > Phones > Update Phones > Query Search for Device Name begins with SEP > Next > Reset Phones > Run Immediately. ○ • 4.