McDewey

Multi-vendor documentation library · semantic search · MCP endpoint at /mcp

Page 64

↗ View in doc context
page
64
source
cucm/v15/security-guide/security-guide.md
chunk_id
cucm::v15::security-guide::security-guide::52

Certificate Tasks This section lists all the procedures to manage certificates. Bulk Certificate Export If both the old and new clusters are online at the same time, you can use the Bulk Certificate migration method. Remember that the Cisco Unified IP Phones verify every downloaded file against either the ITL file, or against a TVS server that exists in the ITL file. If the phone needs to move to a new cluster, the ITL file that the new cluster presents must be trusted by the old cluster TVS certificate store. The Bulk Certificate Export method only works if both clusters are online with network connectivity while the phones are being migrated. Note During bulk certificate import, you need to import an additional ITLRecovery certificate on both the visiting cluster and the home cluster for Cisco Extension Mobility Cross Cluster (EMCC) to continue functioning. A new option to import ITL_Recovery certificate is added in Bulk Certificate Management for the Certificate Type drop-down list. Note To use the Bulk Certificate Export method complete the following procedure: Procedure Step 1 From Cisco Unified Operating System Administration, choose Security > Bulk Certificate Management. Step 2 Export certificates from new destination cluster (TFTP only) to a central SFTP server. Step 3 Consolidate certificates (TFTP only) on the SFTP server using the Bulk Certificate interface. Step 4 On the origination cluster use the Bulk Certificate function to import the TFTP certificates from the central SFTP server. Step 5 Use DHCP option 150, or some other method, to point the phones to the new destination cluster. The phones download the new destination cluster ITL file and attempt to verify it against their existing ITL file. The certificate is not in the existing ITL file so the phone requests the old TVS server to verify the signature of the new ITL file. The phone sends a TVS query to the old origination cluster on TCP port 2445 to make this request. If the certificate export/consolidate/import process works correctly then the TVS returns success, and the phone replaces the ITL file in memory with the newly downloaded ITL file. The phones can now download and verify the signed configuration files from the new cluster. Show Certificates Use the filter option on the Certificate List page, to sort and view the list of certificates, based on their common name, expiry date, key type, and usage. The filter option thus allows you to sort, view, and manage your data effectively. Security Guide for Cisco Unified Communications Manager, Release 15 and SUs 46 Basic System Security Certificate Tasks