McDewey

Multi-vendor documentation library · semantic search · MCP endpoint at /mcp

Page 9

↗ View in doc context
page
9
source
cucm/v15/certificate-regeneration/certificate-regeneration.md
chunk_id
cucm::v15::certificate-regeneration::certificate-regeneration::9

Search for Device Name begins with SEP > Next > Reset Phones > Run Immediately. ○ The phones now reset. Monitor their actions via RTMT tool to ensure the reset was successful and that devices register back to CUCM. Wait for the phone registration to complete before you proceed to next certificate. This process of phones registration can take some time. Be advised, devices that had bad ITLs prior to regeneration process do not register back to the cluster until it is remove. CallManager Certificate The process of regenerating CallManager and CallManager-ECDSA are identical including service restarts. Warning: Ensure you have identified if your Cluster is in Mixed-Mode before you proceed. Refer to section Identify Cluster Security Mode. Warning: Do not regenerate CallManager.PEM and TVS.PEM certificates at the same time in versions 8.x-11.5, or if the ITL is signed by the Call Manager Certificate. This causes an unrecoverable mismatch to the installed ITL on endpoints which require the removal the ITL from ALL endpoints in the cluster, or restore from DRS to begin the certificate updates again. Navigate to the Cisco Unified CM Administration > System > Enterprise Parameters: Check the section Security Parameters and verify if the Cluster Security Mode is set to 0 or

  1. If the value if 0, then the cluster is in Non-Secure Mode. If it is 1, then the cluster is in mixed-mode and you need to update the CTL file prior to the restart of services. See Token and Tokenless links. •

Navigate to each server in your cluster (in separate tabs of your web browser) begin with the publisher, then each subscriber. Navigate to Cisco Unified OS Administration > Security > Certificate Management > Find. Select the CallManager pem Certificate. • Once open, select Regenerate and wait until you see the Success pop-up, then close pop-up or go back and select Find/List. • 2. Continue with subsequent subscribers; perform the same procedure in step 2, and complete on all subscribers in your cluster. If cluster is in Mixed-Mode, or the CTL is being used for 802.1X, you must update the CTL before you proceed further. Log into the CLI of the Publisher and enter the command utils ctl update CTLFile. ○ Reset all encrypted and authenticated phones for the CTL file update to take affect. ○ • 3. Log into Publisher Cisco Unified Serviceability: Navigate to Cisco Unified Serviceability > Tools > Control Center - Feature Services. • Begin with the publisher, then continue with the subscribers, only restart Cisco CallManager Service where status shows Started. • 4. Navigate to Cisco Unified Serviceability > Tools > Control Center - Feature Services. Begin with the Publisher, then continue with the subscribers, restart Cisco CTIManager Service where status shows Started. • 5. Navigate to Cisco Unified Serviceability > Tools > Control Center - Network Service. Begin with the Publisher, then continue with the subscribers, restart Cisco Trust Verification Service. • 6. Navigate to Cisco Unified Serviceability > Tools > Control Center - Feature Services. Begin with the Publisher, then continue with the subscribers, restart Cisco TFTP Service where status shows Started. • 7. Reboot all Phones: Option 1 • Cisco Unified CM Administration > System > Enterprise Parameters • 8.