PDF(31.2 KB) View with Adobe Reader on a variety of devices
ePub(102.7 KB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle)(86.3 KB) View on Kindle device or Kindle app on multiple devices
Updated:April 22, 2020
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document provides a recommended step-by-step procedure on how to regenerate certificates in Cisco Unified Communications Manager (CUCM) release 12.X and higher. This process does not use the fallback to versions before 8.0 functionality and updates certificates by function. The security by default feature is Identity Trust List (ITL) and Mixed-Mode feature is Certificate Trust List (CTL) are addressed in order to avoid registration issues.
Cisco recommends that you have knowledge of these topics:
The information in this document is based on CUCM release 12.X and later.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Download and Install RTMT
Step 1. Open Call Manager (CM) Administration page.
Step 2. Navigate to Application > Plugins > Find > Cisco Unified Real-Time Monitoring Tool - Windows > Download.
Step 3. Launch the RTMT installation software downloaded and follow the instalation wizzard.
Monitor Endpoints with RTMT
Step 1. Launch RTMT and enter the IP address or Fully Qualified Domain Name (FQDN), then username and password to access the tool.
Step 2. This section identifies the total number of registered end-points and how many are registered to each node. Monitor while endpoint reset to ensure registration prior to the regeneration of the next certificate.
a. Select the Voice/Video Tab.
b. Select Device Summary.
Tip: The regeneration process of some certificates can impact endpoints. Consider an action plan after regular business hours due to the requirement to restart services and reboot phones. Monitoring phone registration via RTMT is highly recommended.
Warning: Endpoints with current ITL mismatch can have registration issues after this process. The deletion of the ITL on the endpoint is a typical best practice solution after the regeneration process is completed and all other phones have registered.
Identify Clusters in Mixed-Mode or Non-Secure Mode
Step 1. Open the CM Administration page.
Step 2. Navigate to System > Enterprise Parameters > Security Parameters > Cluster Security Mode.
Impact by the Certificate Store
It is critical for good functionality of the system to have all certificates updated across the CUCM cluster. If certificates are expired or invalid, they might significantly affect normal functionality of the system. A list of services for the specific certificates that are invalid or expired is shown here. The impact might differ dependent upon your system setup.
Certificate Regeneration Process
ITL and CTL Explanation
ITL contains the certificate role for Call Manager TFTP, all TVS certificates in the cluster, and Certificate Authority Proxy Function (CAPF) when ran
CTL contains entries for System Administrator Security Token (SAST), Cisco Call Manager and Cisco TFTP services that are ran on the same server, CAPF, TFTP server(s), and Adaptive Security Appliance (ASA) firewall. TVS is not referenced in CTL.
Note: The ITLRecovery Certificate is used when devices lose their trusted status. The certificate appears in both the ITL and CTL (when CTL provider is active). If devices lose their trust status, you can use the command utils itl reset localkey for non-secure clusters and the command utils ctl reset localkey for mix-mode clusters. Read the Security guide for your Call Manager version to become familiar with how the ITLRecovery certificate is used and the process required to recover trusted status. If the cluster has been upgraded to a version that supports a key length of 2048 and the clusters server certificates have been regenerated to 2048 and the ITLRecovery has not been regenerated and is currently 1024 key length, the ITL recovery command fails and the ITLRecovery method is not be able to be used.
Step 1. Verify that the ITL File is valid (show itl command) and all phones Trust the current ITL File.
Step 2. Regenerate the ITLRecovery Certificate. Navigate to Cisco Unified OS Administration > Security > Certificate Management > Find.
Select the ITLRecovery pem Certificate.
Once open, select Regenerate and wait until you see the Success pop-up then close pop-up or go back and select Find/List.