Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
227
Views
3
Helpful
8
Replies

CUCM 11.5.1 SU2 upgrade

touma.kayal
Level 1
Level 1

‎04-24-2024 10:56 AM

Hello Everyone,

one of my clients currently have a CUCM cluster with 1 publisher and 6 subscribers, this cluster is running version 11.5.1 SU2.

i am planning a refresh upgrade to version 14 using PCD. but before this upgrade, i am planning a minor upgrade for that same CUCM from 11.5.1 SU2 to SU6 (minor upgrade) and i am concerned about the below:

1- many of the self signed certificate are already expired on this cluster (i can give more details if required). Can i proceed with upgrading to 11.5.1 SU6 even if these Certificates are expired?

2- if I proceed with the Upgrade to version 14 using PCD, will it regenerate the certificate during upgrade? 

any feedback please.

Thank you in advance

Labels:
0 Helpful
8 Replies 8

Roger Kallberg
VIP
VIP

‎04-24-2024 12:49 PM

I would recommend you to renew any expired certificates before you proceed with any upgrades. Please see this document for details on how to go about this. Cisco UC Certificates Renewal Guide 

No upgrade will renew any certificates. What it would do is provide new versions of any certificates that Cisco includes in the distribution of their products.



Response Signature


touma.kayal
Level 1
Level 1
In response to Roger Kallberg

‎04-24-2024 12:56 PM

Would it work if we 1st do a minor upgrade to SU6, then regenerate the expired certificates ?? I did it couple of times before and it worked.

0 Helpful

Roger Kallberg
VIP
VIP
In response to touma.kayal

‎04-24-2024 01:33 PM

It could work with no problem, but in general it is not a good idea to carry on with expired certificates.



Response Signature


Nithin Eluvathingal
VIP
VIP

‎04-24-2024 10:14 PM

I  echo @Roger Kallberg , first, you must renew the expired certificates and then proceed with the upgrade. When upgrading, certificates will not get renewed.

And for the 14, I recommend migration to the new OVA if it’s feasible (if your servers can accommodate the new virtual machines) rather than upgrading.

 

And for the 14 i recommend migration to new OVA if its feasible( if your servers can accomdate the new virtaul machines )  than upgrading.



Response Signature


touma.kayal
Level 1
Level 1
In response to Nithin Eluvathingal

‎04-24-2024 10:18 PM

than you @Nithin Eluvathingal and @Roger Kallberg for your valuable feedback and i will definitely renew the expired certificate. But before i proceed with the renewal, the client wanna switch his cluster from mixed-mode to non-secure mode. can we do this activity before then proceed with certificate regeneration?

thank you again for your helpful comments

 

0 Helpful

Roger Kallberg
VIP
VIP
In response to touma.kayal

‎04-24-2024 10:40 PM

Woha, hold your horses! Turning off Mixed Mode is a completely different topic, that probably deserves its own post altogether as it’s way off-topic for what you initially asked. That said it depends on if you have any devices or trunks setup for secure mode and how you initially initiated the setup of Mixed Mode. From what I know there are quite good documentation at cisco.com for things related to Mixed Mode, I’d recommend you to read and then read some more before you do anything in this area as if you go about it in the wrong way you’ll end up in all sort of trouble. If I were you I would do the upgrades first and then work on whatever is needed to have the cluster changed to none secure state.



Response Signature


0 Helpful

touma.kayal
Level 1
Level 1
In response to Roger Kallberg

‎04-24-2024 11:10 PM

Hello Roger,

In my current setup, none of the phones or SIP trunks are utilizing a secure profile; they are all configured with non-secure profiles. According to my understanding, when transitioning from mixed mode to non-secure mode, the CUCM and ITL recovery certificates are supposed to be removed from the CTL file. However, even after this transition, the CTL file persists. I've extensively researched Cisco documentation on this matter and even sought clarification through a TAC case. They have confirmed that it is permissible to transition to non-secure mode as long as all phones are configured with non-secure profiles.

However, my concern lies with the following:
If I transition to non-secure mode on my cluster, the CTL file remains in existence, but with empty certificates. In this scenario, is it advisable to delete the CTL from my cluster, considering that the phones will utilize the ITL to authenticate with the CUCM Server?

NB: my cluster contains many old phones (7911, 6921,...etc)

0 Helpful

Roger Kallberg
VIP
VIP
In response to touma.kayal

‎04-25-2024 12:25 AM

I've never worked with a Mixed-Mode system so I can't say for sure. As you say in normal operation mode the phones will use the ITL for the verification of the authenticity of the CM system it connects to. This said if you have any doubts my standard answer would be that it is advisable to check with TAC to get clarification before you embark on something.



Response Signature


0 Helpful
Customers Also Viewed These Support Documents