McDewey

Multi-vendor documentation library · semantic search · MCP endpoint at /mcp

Page 5

↗ View in doc context
page
5
source
cucm/v15/lsc-phone-install/lsc-phone-install.md
chunk_id
cucm::v15::lsc-phone-install::lsc-phone-install::4

feature first with a self-signed CAPF certificate, test and verify, and then redeploy LSCs that are signed by a third party signed CAPF certificate. This simplifies later troubleshooting, if tests with the third party signed CAPF certificate fail. Warning: If you regenerate the CAPF certificate or import a third-party signed CAPF certificate while the CAPF service is activated and started, phones are automatically reset by CUCM. Complete these procedures in a maintenance window when it is acceptable for phones to be reset. For reference, see Cisco bug ID CSCue55353 - Add Warning when Regenerating TVS/CCM/CAPF Certificate that Phones Reset Note: If your CUCM version supports SBD, this LSC install procedure applies regardless if your CUCM cluster is set to mixed mode or not. SBD is a part of CUCM version 8.0(1) and later. In these versions of CUCM, the ITL files contains the certificate for the CAPF service on the CUCM Publisher. This allows phones to connect to the CAPF service in order to support certificate operations such as Install/Upgrade and Troubleshoot. In the previous versions of CUCM, it was necessary to configure the cluster for Mixed Mode in order to support certificate operations. As this is no longer necessary, this reduces barriers to the use of LSCs as phone identity certificates for 802.1X authentication or for AnyConnect VPN client authentication. Run the show itl command on all TFTP servers in the CUCM cluster. Observe that the ITL file does contains a CAPF certificate. For example, here is an excerpt of the show itl output from the lab CUCM Subscriber ao115sub. Note: There is an ITL Record entry in this file with a FUNCTION of CAPF. Note: If your ITL file does not have a CAPF entry, log in to your CUCM publisher and confirm the CAPF service is activated. In order to confirm this, navigate to Cisco Unified Serviceability > Tools

Service Activation > CUCM Publisher > Security, then activate the Cisco Certificate Authority Proxy Function Service. If the service was deactivated and you just activated it, navigate to Cisco Unified Serviceability > Tools > Control Center – Feature Services > Server > CM Services, then restart the Cisco TFTP service on all TFTP servers in the CUCM cluster to regenerate the ITL file. Also, ensure that you do not hit Cisco bug ID CSCuj78330. Note: After you are done, run the show itl command on all TFTP servers in the CUCM cluster in order to verify that the current CUCM Publisher CAPF certificate is now included in the file. <#root> ITL Record #:1

BYTEPOS TAG LENGTH VALUE