Daniel, I never thanked you for this info. Yes, SERVER2 is an actual CUCM, so I presume it was put there by mistake. One thing I miss from the documentation is a reference default configuration of all the certs in a cluster.
Thanks by the bucketload! Ariel. De: Daniel Pagan [mailto:dpa...@fidelus.com] Enviado el: jueves, 25 de octubre de 2018 10:09 a.m. Para: ROZA, Ariel <ariel.r...@la.logicalis.com>; James Andrewartha <jandrewar...@ccgs.wa.edu.au>; cisco-voip@puck.nether.net Asunto: RE: [EXT] Re: [cisco-voip] How to handle expired Phone-VPN-trust, phone-SAST-trust, other certificates In your example, the SERVER2 certificate in phone-vpn-trust is there because someone would have placed it there for some reason. Some additional info... certificates uploaded to the phone-vpn-trust store can be associated with a VPN gateway in /ccmadmin. When assigned to a VPN-enabled phone through a common phone profile, a hash of the certificate is provided to the phone in its .cnf file. This certificate would/should be the same SSL cert assigned to the VPN gateway(s) configured. During the TLS handshake between the phone and the ASA, the phone compares the SHA1 hash of the identity certificate it receives with the hash contained in its previously downloaded config file. With that said - Why is there SERVER2.DER in the phone-vpn-trust store? DP: Likely someone placed it there. Is this expected? DP: Not by default. Does a phone contact SERVER2 while using the Phone VPN? DP: Only if SERVER2 is the VPN gateway. The phone uses the VPN gateway URL to determine where to connect, then compares the certificate hash during TLS negotiation. Is there by default, or someone added, even by mistake? DP: Added and (if SERVER2 is a UC server) likely by mistake. Hope this helps. - Dan From: cisco-voip <cisco-voip-boun...@puck.nether.net<mailto:cisco-voip-boun...@puck.nether.net>> On Behalf Of ROZA, Ariel Sent: Tuesday, October 23, 2018 11:52 AM To: James Andrewartha <jandrewar...@ccgs.wa.edu.au<mailto:jandrewar...@ccgs.wa.edu.au>>; cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net> Subject: [EXT] Re: [cisco-voip] How to handle expired Phone-VPN-trust, phone-SAST-trust, other certificates My main issue is not about the deletion process, but about the purpose and usefulness of each of those certificates. Being able to judge if it is good to delete or not certain certificates (even when expired). I have this guide: https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/200199-CUCM-Certificate-Regeneration-Renewal-Pr.htm<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cisco.com%2Fc%2Fen%2Fus%2Fsupport%2Fdocs%2Funified-communications%2Funified-communications-manager-callmanager%2F200199-CUCM-Certificate-Regeneration-Renewal-Pr.htm&data=02%7C01%7CAriel.ROZA%40LA.LOGICALIS.COM%7C19f5c667111d4a9a6d6608d63a7b11a8%7C2e3290cb8d404058abe502c4f58b87e3%7C0%7C0%7C636760697594134119&sdata=%2F6ScEcs1JeCxB%2B5%2FsVDHMxcQJN%2FfNPJ8vmzC3ClizXM%3D&reserved=0> that gives a description of the purpose of each store, but it does not give specifics on why is there a particular certificate in a store. Ie. Why is there SERVER2.DER in the phone-vpn-trust store? Is this expected? Does a phone contact SERVER2 while using the Phone VPN? Is there by default, or someone added, even by mistake? And the expired certs that I have are not some that are renewable. All of them are in -trust stores. So I am quite puzzled about them. De: cisco-voip [mailto:cisco-voip-boun...@puck.nether.net] En nombre de James Andrewartha Enviado el: martes, 23 de octubre de 2018 12:39 a.m. Para: cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net> Asunto: Re: [cisco-voip] How to handle expired Phone-VPN-trust, phone-SAST-trust, other certificates And if you have any problems deleting them (I had one that just would not go away and gave me alarms for years), just call TAC and they'll take you through the SQL to kill them permanently. On 23/10/18 03:08, NateCCIE wrote: The expired certs will throw alarms even if they have been superseded by newer certs. So during a maintenance window, renew anything that is expired, and just delete all the old ones. The newer versions of cucm make this easier by being able to sort by expiration date. -Nate From: cisco-voip <cisco-voip-boun...@puck.nether.net><mailto:cisco-voip-boun...@puck.nether.net> On Behalf Of ROZA, Ariel Sent: Monday, October 22, 2018 11:52 AM To: cisco-voip (cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>) <cisco-voip@puck.nether.net><mailto:cisco-voip@puck.nether.net> Subject: [cisco-voip] How to handle expired Phone-VPN-trust, phone-SAST-trust, other certificates Hi, guys! I have a customer that is receiving alarms over some expired certificates, and I would like to know which is the best way to handle them. The certs are loaded in SERVER1 and all named SERVER2.der, except the CAPF ones. <servername>.der in phone-vpn-trust. <servername> .der in phone-trust <servername>.der in phone-SAST-trust <servername>.der in phone-CTL-trust And several CAPF-xxxxxx.der in Callmanager-trust So far I have dealt with renewing Callmanager, TFTP and TVS cert, but I always kept clear from those other certs Shoud I delete them, shoud I keep them, even as they are expired and throwing alarms? Regards. Ariel Roza Collaboration Support Engineer t: +54 11 5282-0458 c: +54 9 11 5017-4417 webex: http://logicalis-la.webex.com/join/ariel.roza<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flogicalis-la.webex.com%2Fjoin%2Fariel.roza&data=02%7C01%7CAriel.ROZA%40LA.LOGICALIS.COM%7C19f5c667111d4a9a6d6608d63a7b11a8%7C2e3290cb8d404058abe502c4f58b87e3%7C0%7C0%7C636760697594134119&sdata=LkgsjI3KTnH8x5Ea7uH%2BH%2FHelvy0dhvmD8nACLKSTok%3D&reserved=0> Av. Belgrano 955 - Piso 20 - CABA - Argentina - C1092AAJ www.la.logicalis.com<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.la.logicalis.com%2F&data=02%7C01%7CAriel.ROZA%40LA.LOGICALIS.COM%7C19f5c667111d4a9a6d6608d63a7b11a8%7C2e3290cb8d404058abe502c4f58b87e3%7C0%7C0%7C636760697594134119&sdata=MVz5NFqvnyD7p%2BRe0tWzOFOmzaSn7cAFTNX9X9IHj9Q%3D&reserved=0> _________________________________________________ Business and technology working as one [cid:image003.png@01D3894B.346BF840] [cid:image005.png@01D3894B.43930F20] [cid:image007.jpg@01D47209.EE87B410][Descripción: Descripción: Descripción: Descripción: Descripción: Descripción: Descripción: Descripción: Descripción: Descripción: Descripción: Descripción: Descripción: Descripción: Descripción: Descripción: tw]<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftwitter.com%2FLogicalisLatam&data=02%7C01%7CAriel.ROZA%40LA.LOGICALIS.COM%7C19f5c667111d4a9a6d6608d63a7b11a8%7C2e3290cb8d404058abe502c4f58b87e3%7C0%7C0%7C636760697594134119&sdata=ltRNogdnSloKGm7xFvlDZ2lBef7Y10BJjREpxoFn27Q%3D&reserved=0> [Descripción: Descripción: Descripción: Descripción: Descripción: Descripción: Descripción: Descripción: Descripción: Descripción: Descripción: Descripción: Descripción: Descripción: Descripción: Descripción: fb] <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fes-es.facebook.com%2Fpages%2FLogicalis-Latam%2F234648439078&data=02%7C01%7CAriel.ROZA%40LA.LOGICALIS.COM%7C19f5c667111d4a9a6d6608d63a7b11a8%7C2e3290cb8d404058abe502c4f58b87e3%7C0%7C0%7C636760697594134119&sdata=CZzIO99CaU7blCkDV4FIc4Us4nGsB1EjZv62uCCxM6I%3D&reserved=0> [Descripción: Descripción: Descripción: Descripción: Descripción: Descripción: Descripción: Descripción: Descripción: Descripción: Descripción: Descripción: Descripción: Descripción: Descripción: Descripción: yt] <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.youtube.com%2Flogicalislatam&data=02%7C01%7CAriel.ROZA%40LA.LOGICALIS.COM%7C19f5c667111d4a9a6d6608d63a7b11a8%7C2e3290cb8d404058abe502c4f58b87e3%7C0%7C0%7C636760697594134119&sdata=JljO%2Fuk%2Fxs3DvOqISECFF0zL%2F2grYLUcQJ7U6jbzsM0%3D&reserved=0> Logicalis Argentina S.A. solo puede ser obligado por sus representantes legales conforme los límites establecidos en el acto constitutivo y la legislación en vigor. El contenido del presente correo electrónico e inclusive sus anexos contienen información confidencial. El mismo no puede ser divulgado y/o utilizado por cualquiera otro distinto al destinatario, ni puede ser copiado de cualquier forma. _______________________________________________ cisco-voip mailing list cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net> https://puck.nether.net/mailman/listinfo/cisco-voip<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-voip&data=02%7C01%7CAriel.ROZA%40LA.LOGICALIS.COM%7C19f5c667111d4a9a6d6608d63a7b11a8%7C2e3290cb8d404058abe502c4f58b87e3%7C0%7C0%7C636760697594134119&sdata=dKhwM9vYqA6GeetwRswLZCrHsIUGTILyxXYIhb2Ifw0%3D&reserved=0> -- James Andrewartha Network & Projects Engineer Christ Church Grammar School Claremont, Western Australia Ph. (08) 9442 1757 Mob. 0424 160 877
_______________________________________________ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
