Mike's PBX Cookbook

CAPF Certificate Regeneration

Procedure (SOP) for CAPF Certificate Regeneration and CUCM Cluster Restart

This procedure outlines the process of regenerating the CAPF certificate, updating the CTL, and restarting the CUCM cluster in a staggered approach to ensure a smooth re-registration of phones.

1Regenerate the CAPF Certificate via CUCM GUI

  1. Log in to the CUCM Cisco Unified OS Administration GUI with ccmadmin credentials.
  2. Navigate to System ➤ Security ➤ Certificate Management
  3. Locate the CAPF.pem certificate, and click Regenerate.
  4. Confirm the regeneration when prompted.
  5. Download the new certificate(s) for backup if needed.

Once the CAPF certificate is regenerated, phones using secure profiles (encrypted signaling or media) that rely on the CAPF certificate for secure registration may lose their secure trust relationship. These phones will need to re-register after regeneration and system restart.

2Update the CTL in the CUCM Cluster (Mixed-Mode Security)

  1. Access the CUCM Publisher CLI:
    • Use SSH to connect to the CLI of the CUCM Publisher node using ccmadmin
  2. Run the CTL Update Command:
    • At the CLI prompt, enter: utils ctl update CTLFile
  3. Confirm the Update:
    • When prompted to update the CTL file, type `y` and press Enter.
  4. Provide eToken Information (if applicable):
    • If the cluster uses an eToken, insert it and enter the eToken password when prompted.
  5. Monitor the Update Process:
    • The CLI will display progress, including:
    • Identifying certificates (e.g., CallManager, CAPF).
    • Generating the new CTL file.
    • Distributing the updated CTL file to all nodes in the cluster.

3Restart the CUCM Cluster (Staggered Approach)

  1. Restart the Publisher Node CUCM1, eg: 10.xxx.xxx.1
    • Run the command: utils system restart
    • Estimated time: 20-30 minutes.
  2. Restart the First TFTP-Enabled Subscriber Node CUCM2, eg: 10.xxx.xxx.2
    • Run the command: utils system restart
    • Estimated time: 20-30 minutes.
  3. Restart the Second TFTP-Enabled Subscriber Node CUCM3, eg: 10.xxx.xxx.18
    • Run the command: utils system restart
    • Estimated time: 20-30 minutes.

Phones will begin re-registering using the available TFTP server during the restarts.

4Verify Phone Re-registration

  1. Check phone registration status by running the command: show risdb query phone
  2. Monitor the process, it may take 30-60 minutes for 100 phones to re-register.

5Verify CAPF Service Status

  1. Verify the CAPF service status by running: utils service list | include CAPF
  2. Ensure the Cisco Certificate Authority Proxy Function service is running.

6Verify CallManager and TFTP Services

  1. Verify CallManager service with: utils service list | include CallManager
    • Ensure 'Cisco CallManager' is running.
    • Check TFTP services on each node by running: utils service list | include TFTP

7Check Logs and Alarms

  1. Check logs for any critical errors using the following commands:
    • file list activelog /cm/log/callmanager
    • file list activelog /cm/log/capf
  2. Monitor for any errors during the restart.

8Test Phone Security Features

  1. Ensure phones have re-registered.
  2. Verify secure registration and functionality by checking the security profile and phone icons on registered phones.

9Test Call Functionality

  1. Test internal and external calls.
  2. Verify call transfers, conference calls, and voicemail functionality.

10Verify Network Connectivity and User Privileges

  1. Test network connectivity by pinging the CUCM Publisher and Subscriber nodes:
    • ping <CUCM IP Address>
  2. Verify proper administrative privileges in User Management ➤ Application User within the CUCM GUI.

11Confirm PBX Stability

  1. SSH into the CUCM Publisher node (CUCM-1).
  2. Run the following command to verify PBX stability: utils dbreplication runtimestate