McDewey

Multi-vendor documentation library · semantic search · MCP endpoint at /mcp

Page 8

↗ View in doc context
page
8
source
cucm/v15/certificate-regeneration/certificate-regeneration.md
chunk_id
cucm::v15::certificate-regeneration::certificate-regeneration::8

the publisher, then continue with the subscribers and select Restart on the Cisco DRF Local. The IPSEC.pem certificate in the publisher must be valid and must be present in all subscribers as IPSEC truststores. The subscriber's IPSEC.pem certificate is not present in the publisher as IPSEC-trust in a standard deployment. In order to verify the validity compare the serial numbers in the IPSEC.pem certificate from the PUB with the IPSEC-trust in the SUBs. They must match. CAPF Certificate Note: Beginning in CUCM 14, the CAPF certificate can only be found on the Publisher. Warning: Ensure you have identified if your Cluster is in Mixed-Mode before you proceed. Refer to section Identify Cluster Security Mode. Navigate to the Cisco Unified CM Administration > System > Enterprise Parameters. Check the section Security Parameters and verify if the Cluster Security Mode is set to 0 or

  1. If the value if 0, then the cluster is in Non-Secure Mode. If it is 1, then the cluster is in mixed-mode and you need to update the CTL file prior to the restart of services. See Token and Tokenless links. •

Navigate to each server in your cluster (in separate tabs of your web browser) begin with the publisher, then each subscriber. Navigate to Cisco Unified OS Administration > Security > Certificate Management > Find. Select theCAPF PEM Certificate. • Once open, select Regenerate and wait until you see the Success pop-up then close pop-up or go back and select Find/List. • 2. Continue with subsequent subscribers; perform the same procedure in step 2, and complete on all subscribers in your cluster. If cluster is in Mixed-Mode or the CTL is being used for 802.1X, you must update the CTL before you proceed further. Log into the CLI of the Publisher and enter the command utils ctl update CTLFile. ○ Reset all encrypted and authenticated phones for the CTL file update to take affect. ○ • 3. After all Nodes have regenerated the CAPF certificate, restart services. Navigate to publisher Cisco Unified Serviceabillity. Cisco Unified Serviceability > Tools > Control Center - Feature Services. 1. Select the publisher and select Restart on the Cisco Certificate Authority Proxy Function Service, only if active. 2. • 4. Navigate to Cisco Unified Serviceability > Tools > Control Centr - Network Services. Begin with the publisher, then continue with the subscribers, select Restart on Cisco Trust Verification Service. • Navigate to Cisco Unified Serviceability > Tools > Control Center - Feature Services. • Begin with the publisher then continue with the subscribers, restart Cisco TFTP Service where status shows Started. • 5. Reboot all Phones: Option 1 • Cisco Unified CM Administration > System > Enterprise Parameters • Select Reset, then you see a pop-up with the statement "You are about to reset all devices in the system. This action cannot be undone. Continue?",select OK, and then select Reset. This method resets ALL components in Call Manager. ○ • Option 2 • Cisco Unified CM Administration > Bulk Administration > Phones > Update Phones > Query • 6.