McDewey

Navigate to CM Administration: System > Enterprise Parameters > Security Parameters > Cluster Security Mode. • ITL and CTL Initial Trust List (ITL) contains the certificate role for Call Manager TFTP, ITLRecovery, and all TVS certificates in the cluster. It also contains the Certificate Authority Proxy Function (CAPF) if the service is running. Beginning in version 12.0, the ITL is signed by the ITLRecovery certificate. You can see this by logging into CLI and entering the command show itl. Prior to version 12.0, the ITL was signed by the Call Manager certificate. • CTL contains entries for System Administrator Security Token (SAST), Cisco CallManager and Cisco TFTP services that are run on the same server, CAPF, ITLRecovery, TFTP server(s), and Adaptive Security Appliance (ASA) firewall. TVS is not referenced in CTL. The CTL is provided to endpoints if the service, Cisco CTL Provider, is running. • As of CUCM 14SU(3), Cisco CTL Provider service no longer supports CTL Tokens, and Tokenless is the default supported method. • Impact by the Certificate Store It is critical for successful system functionality to have all certificates updated across the CUCM cluster. If certificates are expired or invalid, they can significantly affect normal functionality of the system. The impact can differ dependent upon your system setup. A list of services for the specific certificates that are invalid or expired is shown here: CallManager.pem Encrypted/authenticated phones do not register. • Trivial File Transfer Protocol (TFTP) is not trusted (phones do not accept signed configuration files and/or ITL files). • Phone services can be affected. • Secure Session Initiation Protocol (SIP) trunks or media resources (Conference bridges, Media Termination Point (MTP), Xcoders, and so on) do not register or work. • The AXL request fails. •