Certificate Renewal Plan

APMM Certificate Renewal Plan
1- Check the Expired Certificates on CUCM Nodes.

2- Make sure that we have a cluster backup , if not create a DRS Backup
3- Check the TFTP servers on the cluster
4- Regenerate Certificates in Specific Order on TFTP Servers
This procedure provides a TFTP server with a valid/updated ITL file from a trusted TFTP server that is
available.
- Stop TFTP service on the Primary TFTP server.

- Make changes on the Primary TFTP server's certificates (as needed).
To renew the required certificates , Go to step 5 Regenerate Certificates via the Web GUI or
CLI
- Reset the phones (in order to get a new ITL file from the Secondary TFTP server) -
dependent upon which certificates are regenerated, this might happen automatically.
- Once phones have returned, start the Primary TFTP server's TFTP service.
- Make certificate changes on the Secondary TFTP server.
- Reset the phones (in order to get a new ITL file from the Primary TFTP server).
Caution: Do NOT edit certificates on both TFTP servers at the same time. This gives the phones no TFTP
server to trust and requires the local administrator to manually remove the ITL from all phones.
5- Regenerate Certificates via the Web GUI or CLI
5.1 Regenerate CAPF
Upon regeneration, the CAPF certificate automatically uploads itself to CAPF-trust and CallManager-
trust. Also, the CAPF certificate always has a unique Subject Name header, thus previously used CAPF
certificates are retained and used for authentication.
From Web:
OS Admin > Security > Certificate Management > Find > Click CAPF certificate > Regenerate
From CLI:
set cert regen CAPF
On Publisher only :
Web Gui: Cisco Unified Serviceability > Tools > Control Center - Feature Services > (Select Server) >
select "Cisco Certificate Authority Proxy Function" > Restart
5.2 Regenerate CallManager
Upon regeneration, the CAPF certificate automatically uploads itself to CallManager-trust.
From Web:
OS Admin > Security > Certificate Management > Find > Click CallManager certificate > Regenerate
From CLI:
set cert regen CallManager
Restart Services
select "Cisco CallManager" > Restart
select "Cisco Tftp" > Restart
select "Cisco CTIManager" > Restart
5.3 Regenerate IPsec
Upon regeneration, the IPsec certificate automatically uploads itself to ipsec-trust.
From Web:
OS Admin > Security > Certificate Management > Find > Click ipsec certificate > Regenerate
From CLI:
set cert regen ipsec

Restart Service
Cisco DRF Local (on all nodes):
CLI: utils service restart Cisco DRF Local
Cisco DRF Master (on Publisher):
CLI: utils service restart Cisco DRF Master
5.4 Regenerate TVS
From Web:
OS Admin > Security > Certificate Management > Find > Click TVS certificate > Regenerate.
From CLI:
set cert regen TVS
Restart Services
Trust Verification Service (on respective server)
Web Gui: Cisco Unified Serviceability > Tools > Control Center - Network Services > (Select Server) >
select "Cisco Trust Verification Service" > Restart
5.5 Regenerate Cisco Tomcat
Check if the certificate is signed from third-party CA, If it is signed from CA , you can follow the below
steps renew the certificate .
- Create Tomcat CSR

From Cisco Unified OS Admin> Security > Certificate Management> Generate CSR >
select Tomcat > Generate Certificate Signing Request window
- Sign the CSR from CA
- Upload the certificate
OS Admin > Security > Certificate Management >upload certificate , select tomcat
Restart Service
CLI: utils service restart Cisco Tomcat
If the certificate is self-signed, you can follow the bellow steps to regenerate the certificate
Upon regeneration, the Tomcat certificate automatically uploads itself to tomcat-trust.
From Web
OS Admin > Security > Certificate Management > Find > Click tomcat certificate > Regenerate
From CLI
set cert regen tomcat
Restart service
CLI: utils service restart Cisco Tomcat
5.6 Post-Checks
- VOC Post-checks list

- Corporate Directory
- Extension mobility
- Web admin
- AXL admin from third-part application , like UCCX , Calabrio , CUAC
- Backup

Certificate Renewal Plan

Загружено:

Сведения о документе

Исходное описание:

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Certificate Renewal Plan

Загружено:

Авторское право:

Доступные форматы

APMM Certificate Renewal Plan

1- Check the Expired Certificates on CUCM Nodes.

- Stop TFTP service on the Primary TFTP server.

5- Regenerate Certificates via the Web GUI or CLI

5.1 Regenerate CAPF

set cert regen CAPF

5.2 Regenerate CallManager

Upon regeneration, the CAPF certificate automatically uploads itself to CallManager-trust.

5.3 Regenerate IPsec

Upon regeneration, the IPsec certificate automatically uploads itself to ipsec-trust.

set cert regen ipsec

Cisco DRF Local (on all nodes):

CLI: utils service restart Cisco DRF Local

Cisco DRF Master (on Publisher):

CLI: utils service restart Cisco DRF Master

5.4 Regenerate TVS

set cert regen TVS

Trust Verification Service (on respective server)

5.5 Regenerate Cisco Tomcat

- Create Tomcat CSR

CLI: utils service restart Cisco Tomcat

Upon regeneration, the Tomcat certificate automatically uploads itself to tomcat-trust.

set cert regen tomcat

CLI: utils service restart Cisco Tomcat

- VOC Post-checks list

Вам также может понравиться