McDewey

Multi-vendor documentation library · semantic search · MCP endpoint at /mcp

Page 12

↗ View in doc context
page
12
source
cucm/v15/certificate-regeneration/certificate-regeneration.md
chunk_id
cucm::v15::certificate-regeneration::certificate-regeneration::12

Delete Expired Trust Certificates Warning: Deleting a certificate can affect your system operations. It can also break a certificate chain if the certificate is part of an existing chain. Verify this relationship from the username and subject name of the relevant certificates in the Certificate List window. Note: A trusted certificate is the only type of certificate that you can delete. You cannot delete a self- signed certificate that is generated by your system. Identify the trust certificates that need to be deleted, no longer required, or have expired. Do not delete the five base certificates which include the CallManager.pem, tomcat.pem, ipsec.pem, CAPF.pem and TVS.pem. Trust certificates can be deleted when appropriate. The next service that restarts is designed to clear information of legacy certificates within those services. Navigate to Cisco Unified Serviceability > Tools > Control Center - Network Services. From the drop-down select the CUCM Publisher. For CUCM 11.5 and lower, ○ Select Stop Certificate Change Notification. This requirement is not needed for CUCM version 12.0 and higher. ○ Repeat for every Call Manager node in your cluster. ○ • If you have an IMP Server: From the drop-down menu select your IMP servers one at a time and Select Stop Platform Administration Web Services and Cisco Intercluster Sync Agent. This requirement is not needed for IMP version 12.0 and higher. ○ • 1. Navigate to Cisco Unified OS Administration > Security > Certificate Management > Find. Find the expired trust certificates. (For versions 10.X and higher you can filter by Expiration. For versions lower than 10.0, manually identify the certificates or use the RTMT alerts if received.) • The same trust certificate can appear in multiple nodes. It must be deleted individually from each node. • Select the trust certificate to be deleted (dependent on your version, you either get a pop-up or you navigated to the certificate on same page) Select Delete. (You get a pop-up that begins with "you are about to permanently delete this certificate".) ○ Select OK. ○ • 2. Repeat the process for every trust certificate to be deleted. 3. Upon Completion, services need to be restarted that are directly related to the certificates deleted. You do not need to reboot phones in this section. Call Manager and CAPF be endpoint impacting. Tomcat-trust: restart Tomcat Service via command line (See Tomcat Section). • CAPF-trust: restart Cisco Certificate Authority Proxy Function (see CAPF Section). Do not reboot endpoints. • CallManager-trust: CallManager Service/CTIManager (See CallManager Section). Do not reboot endpoints. Impacts endpoints and causes restarts. ○ • IPSEC-trust: DRF Master/DRF Local (See IPSEC Section). • TVS (Self-Signed) does not have trust certificates. • 4. Restart Services Previously Stopped in Step 1. 5. Verification Verification procedure are not available for this configuration.