McDewey

Multi-vendor documentation library · semantic search · MCP endpoint at /mcp

Page 5

↗ View in doc context
page
5
source
cucm/v15/certificate-regeneration/certificate-regeneration.md
chunk_id
cucm::v15::certificate-regeneration::certificate-regeneration::4

Tomcat.pem Phones are not able to access HTTPs services hosted on the CUCM node, such as Corporate Directory. • CUCM can have various web issues, such as unable to access service pages from other nodes in the cluster. • Extension Mobility (EM) or Extension Mobility Cross Cluster issues. • Single Sign-On (SSO) • Expressway Traversal Zone down (TLS Verify is enabled). • If Unified Contact Center Express (UCCX) is integrated, due to security change from CCX 12.5, it is required to have uploaded CUCM Tomcat certificate (self-signed) or the Tomcat root and intermediate certificate (for CA signed) in UCCX tomcat-trust store since it effects Finesse desktop logins. • CAPF.pem This certificate is used to issue LSC to the endpoints (except online and offline CAPF mode), Phone VPN, 802.1x, and Phone Proxy. • Beginning from Unified Communications Manager Release 11.5(1) SU1, all the LSC certificates issued by CAPF service are signed with SHA-256 algorithm. • Authentication and Encryption setup for CTI, JTAPI, and TAPI. • IPSec.pem Disaster Recovery System (DRS)/Disaster Recovery Framework (DRF) is unable to function properly. • IPsec tunnels to Gateway (GW) or to other CUCM clusters do not work. • Trust Verification Service (TVS) Trust Verification Service (TVS) is the main component of Security by Default. TVS enables Cisco Unified IP Phones to authenticate application servers, such as EM services, directory, and MIDlet, when HTTPS is established. TVS provides these features: Scalability - Cisco Unified IP Phone resources are not impacted by the number of certificates to trust. • Flexibility - Addition or removal of trust certificates are automatically reflected in the system. • Security by Default - Non-media and signal security features are part of the default installation and do not require user intervention. • ITLRecovery (Trust Verification Service) 8.X – 11.5 Recovery of phones with mismatched ITL, Phone migration and EMCC to CUCM 12.0+. • 12.0+ Used in SSO, EMCC and primary signer of ITL/CTL. • 12.5+ ITL Recovery is only generated by the Publisher. • Certificate Manager ECDSA Support In Unified Communications Manager Release 11.0, the certificate manager supports both generation of self- signed ECDSA certificates and the ECDSA certificate signing request (CSR). Earlier releases of Unified Communications Manager supported RSA certificate only. However, Unified Communications Manager Release 11.0 onwards, CallManager-ECDSA certificate has been added along with the existing RSA