/mcpThe interval value of the Enable Revocation Check parameter in the Certificate Revocation page takes precedence over the value of the Validity Check Frequency enterprise parameter. e) Click Save. Step 12 Important This step is supported only from Release 15SU3 onwards. To perform a revocation check on the entire certificate chain, enable the Enable Full Chain Revocation check check box. Ensure that the configured OCSP URIs and the CRL Distribution Point URIs are reachable to successfully perform the full chain revocation check. After enabling or disabling Full Chain Revocation on any node, ensure that you restart Cisco CallManager, Cisco Intercluster Lookup Service (ILS), Cisco Location Bandwidth Manager (LBM), Cisco Syslog Agent and Cisco DirSync services on that node for the changes to take effect. Simplified Certificate Management It is now easier to accomplish certificate requirements due to a collection of updates that reduces a significant number of certificates that you need to manage. Unified Communications Manager has eight identity certificates. They are CallManager, CallManager-ECDSA, Tomcat, Tomcat-ECDSA, IPsec, CAPF, TVS, ITL Recovery for each node. These certificates have to be renewed periodically based on their validity period. Hence, in a multi-cluster deployment scenario, it is difficult to manage these certificates. Simplified Certificate Management Overview To manage certificates efficiently, you now have an option to reduce and reuse the number of certificates. • TVS Supports Multiserver SAN Certificates—TVS now supports multi-server SAN certificates for both self-signed and CA-signed options, letting you deploy a single certificate for the cluster. These certificates are cluster-based. For each cluster, there is an option to have only one TVS certificate that reduces the ITL file size and the management overhead. For example, if there were 21 nodes, now you need only one single certificate for each cluster. • CAPF Certificates Generated from Publisher Node—CAPF certificates are now generated only from the publisher node, letting you deploy a single certificate for the cluster. However, the CAPF certificate is available as a trust-certificate (Callmanager-trust) on both the publisher and subscriber nodes for endpoint registration. • Support for Multi-server SAN Self-Signed Certificates—Tomcat, Tomcat-ECDSA, CallManager, CallManager-ECDSA certificates now support multi-server SAN self-signed certificates. Earlier, multi-server SAN certificates were supported only for CA-signed certificates. You can now avoid the cost of managing a CA from a third-party certificate authority by using the multi-server SAN self-signed certificate. • Reuse Multi-Server Tomcat certificate for CallManager—You can now reuse multi-server Tomcat certificates for CallManager certificates, because there is no need to generate separate certificates for each. For more details on how to reuse multi-server tomcat certificates for CallManager certificate, see Reuse Multi-Server Tomcat Certificate for CallManager, on page 68. Security Guide for Cisco Unified Communications Manager, Release 15 and SUs 67 Basic System Security Simplified Certificate Management