Manage Bulk Certificates

Manage Bulk Certificates

Use bulk certificate management if you want to share a set of certificates between clusters. This step is required for system functions that require established trust between clusters, such as extension mobility cross cluster.

Procedure

  Command or Action Purpose
Step 1

Export Certificates

This procedure creates a PKCS12 file that contains certificates for all nodes in the cluster.
Step 2

Import Certificates

Import the certificates back into the home and remote (visiting) clusters.

Export Certificates

This procedure creates a PKCS12 file that contains certificates for all nodes in the cluster.

Procedure

Step 1

From Cisco Unified OS Administration, choose Security > Bulk Certificate Management.

Step 2

Configure the settings for a TFTP server that both the home and remote clusters can reach. See the online help for information about the fields and their configuration options.

Step 3

Click Save.

Step 4

Click Export.

Step 5

In the Bulk Certificate Export window, choose All for the Certificate Type field.

Step 6

Click Export.

Step 7

Click Close.

Note 

When the bulk certificate export is performed, the certificates are then uploaded to the remote cluster as follows:

  • CAPF certificate gets uploaded as a CallManager-trust

  • Tomcat certificate gets uploaded as a Tomcat-trust

  • CallManager certificate gets uploaded as a CallManager-trust

  • CallManager certificate gets uploaded as a Phone-SAST-trust

  • ITLRecovery certificate gets uploaded as a PhoneSast-trust and CallManager-trust

The above steps are performed when certificates are self-signed and there is no common trust in another cluster. If there is a common trust or the same signer then the export of ALL certificates is not needed.

Import Certificates

Import the certificates back into the home and remote (visiting) clusters.


Note

Import of certificate using bulk certificate management causes phones to reset.

Before you begin

Before the Import button appears, you must complete the following activities:

  • Export the certificates from at least two clusters to the SFTP server.

  • Consolidate the exported certificates.

Procedure

Step 1

From From Cisco Unified OS Administration, choose Security > Bulk Certificate Management > Import > Bulk Certificate Import.

Step 2

From the Certificate Type drop-down list, choose All.

Step 3

Choose Import.

Note 

When the bulk certificate import is performed, the certificates are then uploaded to the remote cluster as follows:

  • CAPF certificate gets uploaded as a CallManager-trust

  • Tomcat certificate gets uploaded as a Tomcat-trust

  • CallManager certificate gets uploaded as a CallManager-trust

  • CallManager certificate gets uploaded as a Phone-SAST-trust

  • ITLRecovery certificate gets uploaded as a PhoneSast-trust and CallManager-trust
Note 

The following types of certificates determines phones that are restarted:

  • Callmanager - ALL phones only IF TFTP service is activated on the node the certificate belongs.

  • TVS - SOME phones based on Callmanager group membership.

  • CAPF - ALL phones only IF CAPF is activated.