[prev in list] [next in list] [prev in thread] [next in thread]
List: cisco-voip
Subject: Re: [cisco-voip] [EXT] Re: How to handle expired Phone-VPN-trust, phone-SAST-trust, other certifica
From: Daniel Pagan <dpagan () fidelus ! com>
Date: 2018-10-25 13:09:09
Message-ID: BN6PR1701MB1716DEA004C87BCC874905AFCCF70 () BN6PR1701MB1716 ! namprd17 ! prod ! outlook ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
In your example, the SERVER2 certificate in phone-vpn-trust is there because someone \
would have placed it there for some reason. Some additional info... certificates \
uploaded to the phone-vpn-trust store can be associated with a VPN gateway in \
/ccmadmin. When assigned to a VPN-enabled phone through a common phone profile, a \
hash of the certificate is provided to the phone in its .cnf file. This certificate \
would/should be the same SSL cert assigned to the VPN gateway(s) configured. During \
the TLS handshake between the phone and the ASA, the phone compares the SHA1 hash of \
the identity certificate it receives with the hash contained in its previously \
downloaded config file.
With that said -
Why is there SERVER2.DER in the phone-vpn-trust store?
DP: Likely someone placed it there.
Is this expected?
DP: Not by default.
Does a phone contact SERVER2 while using the Phone VPN?
DP: Only if SERVER2 is the VPN gateway. The phone uses the VPN gateway URL to \
determine where to connect, then compares the certificate hash during TLS \
negotiation.
Is there by default, or someone added, even by mistake?
DP: Added and (if SERVER2 is a UC server) likely by mistake.
Hope this helps.
- Dan
From: cisco-voip <cisco-voip-bounces@puck.nether.net> On Behalf Of ROZA, Ariel
Sent: Tuesday, October 23, 2018 11:52 AM
To: James Andrewartha <jandrewartha@ccgs.wa.edu.au>; cisco-voip@puck.nether.net
Subject: [EXT] Re: [cisco-voip] How to handle expired Phone-VPN-trust, \
phone-SAST-trust, other certificates
My main issue is not about the deletion process, but about the purpose and usefulness \
of each of those certificates. Being able to judge if it is good to delete or not \
certain certificates (even when expired).
I have this guide:
https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/200199-CUCM-Certificate-Regeneration-Renewal-Pr.htm
that gives a description of the purpose of each store, but it does not give specifics \
on why is there a particular certificate in a store. Ie. Why is there SERVER2.DER in \
the phone-vpn-trust store? Is this expected? Does a phone contact SERVER2 while using \
the Phone VPN? Is there by default, or someone added, even by mistake?
And the expired certs that I have are not some that are renewable. All of them are in \
-trust stores.
So I am quite puzzled about them.
De: cisco-voip [mailto:cisco-voip-bounces@puck.nether.net] En nombre de James \
Andrewartha Enviado el: martes, 23 de octubre de 2018 12:39 a.m.
Para: cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>
Asunto: Re: [cisco-voip] How to handle expired Phone-VPN-trust, phone-SAST-trust, \
other certificates
And if you have any problems deleting them (I had one that just would not go away and \
gave me alarms for years), just call TAC and they'll take you through the SQL to kill \
them permanently.
On 23/10/18 03:08, NateCCIE wrote:
The expired certs will throw alarms even if they have been superseded by newer certs.
So during a maintenance window, renew anything that is expired, and just delete all \
the old ones. The newer versions of cucm make this easier by being able to sort by \
expiration date.
-Nate
From: cisco-voip <cisco-voip-bounces@puck.nether.net><mailto:cisco-voip-bounces@puck.nether.net> \
On Behalf Of ROZA, Ariel
Sent: Monday, October 22, 2018 11:52 AM
To: cisco-voip (cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>) \
<cisco-voip@puck.nether.net><mailto:cisco-voip@puck.nether.net>
Subject: [cisco-voip] How to handle expired Phone-VPN-trust, phone-SAST-trust, other \
certificates
Hi, guys!
I have a customer that is receiving alarms over some expired certificates, and I \
would like to know which is the best way to handle them. The certs are loaded in \
SERVER1 and all named SERVER2.der, except the CAPF ones. <servername>.der in \
phone-vpn-trust. <servername> .der in phone-trust
<servername>.der in phone-SAST-trust
<servername>.der in phone-CTL-trust
And several CAPF-xxxxxx.der in Callmanager-trust
So far I have dealt with renewing Callmanager, TFTP and TVS cert, but I always kept \
clear from those other certs Shoud I delete them, shoud I keep them, even as they are \
expired and throwing alarms?
Regards.
Ariel Roza
Collaboration Support Engineer
t: +54 11 5282-0458
c: +54 9 11 5017-4417 webex: \
http://logicalis-la.webex.com/join/ariel.roza<https://na01.safelinks.protection.outloo \
k.com/?url=http%3A%2F%2Flogicalis-la.webex.com%2Fjoin%2Fariel.roza&data=02%7C01%7Carie \
l.roza%40la.logicalis.com%7C42e5247c66914b1d315c08d638992622%7C2e3290cb8d404058abe502c \
4f58b87e3%7C0%7C0%7C636758627765789267&sdata=cqchqbY98HGTZ4rDIEBWzaoBX2dPJkE8dCnqeu%2BmSXA%3D&reserved=0>
Av. Belgrano 955 - Piso 20 - CABA - Argentina - C1092AAJ
www.la.logicalis.com<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fw \
ww.la.logicalis.com%2F&data=02%7C01%7Cariel.roza%40la.logicalis.com%7C42e5247c66914b1d \
315c08d638992622%7C2e3290cb8d404058abe502c4f58b87e3%7C0%7C0%7C636758627765789267&sdata=gJhPidfXD%2BeH0mg8xm0p1NRM7RmDRZ%2BWZouhlcUEgFE%3D&reserved=0>
_________________________________________________
Business and technology working as one
[cid:image003.png@01D3894B.346BF840]
[cid:image005.png@01D3894B.43930F20]
[cid:image003.jpg@01D46C40.AF7C4250][Descripción: Descripción: Descripción: \
Descripción: Descripción: Descripción: Descripción: Descripción: \
Descripción: Descripción: Descripción: Descripción: Descripción: \
Descripción: Descripción: Descripción: \
tw]<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftwitter.com%2FLogi \
calisLatam&data=02%7C01%7Cariel.roza%40la.logicalis.com%7C42e5247c66914b1d315c08d63899 \
2622%7C2e3290cb8d404058abe502c4f58b87e3%7C0%7C0%7C636758627765789267&sdata=S2AHX%2Bxshq4krLr54BNC6j7ih6d%2BvETh2QPhtf4BK7g%3D&reserved=0> \
[Descripción: Descripción: Descripción: Descripción: Descripción: \
Descripción: Descripción: Descripción: Descripción: Descripción: \
Descripción: Descripción: Descripción: Descripción: Descripción: \
Descripción: fb] <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fes-e \
s.facebook.com%2Fpages%2FLogicalis-Latam%2F234648439078&data=02%7C01%7Cariel.roza%40la \
.logicalis.com%7C42e5247c66914b1d315c08d638992622%7C2e3290cb8d404058abe502c4f58b87e3%7 \
C0%7C0%7C636758627765789267&sdata=LEgXTk5yp6f2at0cHQ3oAARRsdStH6SZooGkmWZPCuQ%3D&reserved=0> \
[Descripción: Descripción: Descripción: Descripción: Descripción: \
Descripción: Descripción: Descripción: Descripción: Descripción: \
Descripción: Descripción: Descripción: Descripción: Descripción: \
Descripción: yt] <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww. \
youtube.com%2Flogicalislatam&data=02%7C01%7Cariel.roza%40la.logicalis.com%7C42e5247c66 \
914b1d315c08d638992622%7C2e3290cb8d404058abe502c4f58b87e3%7C0%7C0%7C636758627765789267&sdata=zH3Z3qakossmepmjj3PIwFNfVi1zlfEdIhf5OM3stRg%3D&reserved=0>
Logicalis Argentina S.A. solo puede ser obligado por sus representantes legales \
conforme los límites establecidos en el acto constitutivo y la legislación en vigor. \
El contenido del presente correo electrónico e inclusive sus anexos contienen \
información confidencial. El mismo no puede ser divulgado y/o utilizado por \
cualquiera otro distinto al destinatario, ni puede ser copiado de cualquier forma.
_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip<https://na01.safelinks.protection. \
outlook.com/?url=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-voip&data= \
02%7C01%7Cariel.roza%40la.logicalis.com%7C42e5247c66914b1d315c08d638992622%7C2e3290cb8 \
d404058abe502c4f58b87e3%7C0%7C0%7C636758627765789267&sdata=dMXCZhW5XIfGfzcarRm3%2BCaMeXKCYiMCn1lxmHkI2u8%3D&reserved=0>
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
[Attachment #5 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"> <head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri",sans-serif;}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle23
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle24
{mso-style-type:personal;
font-family:"Calibri",sans-serif;}
p.HTMLconformatoprevio, li.HTMLconformatoprevio, div.HTMLconformatoprevio
{mso-style-name:"HTML con formato previo";
mso-style-link:"HTML con formato previo Car";
margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;}
span.HTMLconformatoprevioCar
{mso-style-name:"HTML con formato previo Car";
mso-style-priority:99;
mso-style-link:"HTML con formato previo";
font-family:Consolas;
color:black;}
span.EmailStyle27
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle29
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:70.85pt 85.05pt 70.85pt 85.05pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1471483111;
mso-list-type:hybrid;
mso-list-template-ids:1139020120 -578813526 67698691 67698693 67698689 67698691 \
67698693 67698689 67698691 67698693;} @list l0:level1
{mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Calibri",sans-serif;
mso-fareast-font-family:Calibri;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1
{mso-list-id:1718552040;
mso-list-type:hybrid;
mso-list-template-ids:1868875566 1241388518 67698691 67698693 67698689 67698691 \
67698693 67698689 67698691 67698693;} @list l1:level1
{mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Calibri",sans-serif;
mso-fareast-font-family:Calibri;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1027" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="white" lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">In your example, the SERVER2 certificate in phone-vpn-trust is \
there because someone would have placed it there for some reason. Some additional \
info… certificates uploaded to the phone-vpn-trust store can be associated with \
a VPN gateway in /ccmadmin. When assigned to a VPN-enabled phone through a common \
phone profile, a hash of the certificate is provided to the phone in its .cnf file. \
This certificate would/should be the same SSL cert assigned to the VPN gateway(s) \
configured. During the TLS handshake between the phone and the ASA, the phone \
compares the SHA1 hash of the identity certificate it receives with the hash \
contained in its previously downloaded config file.<o:p></o:p></p> <p \
class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">With that said – \
<o:p></o:p></p> <p class="MsoNormal"><i><span style="color:red">Why is there \
SERVER2.DER in the phone-vpn-trust store? <o:p></o:p></span></i></p>
<p class="MsoNormal"><span style="color:black">DP: Likely someone placed it \
there.<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="color:#1F497D"><o:p> </o:p></span></p> <p class="MsoNormal"><i><span \
style="color:red">Is this expected? <o:p></o:p></span></i></p> <p \
class="MsoNormal"><span style="color:black">DP: Not by default.<o:p></o:p></span></p> \
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p> <p \
class="MsoNormal"><i><span style="color:red">Does a phone contact SERVER2 while using \
the Phone VPN? <o:p></o:p></span></i></p>
<p class="MsoNormal"><span style="color:black">DP: Only if SERVER2 is the VPN \
gateway. The phone uses the VPN gateway URL to determine where to connect, then \
compares the certificate hash during TLS negotiation.<o:p></o:p></span></p> <p \
class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p> <p \
class="MsoNormal"><i><span style="color:red">Is there by default, or someone added, \
even by mistake?<o:p></o:p></span></i></p> <p class="MsoNormal"><span \
style="color:black">DP: Added and (if SERVER2 is a UC server) likely by \
mistake.<o:p></o:p></span></p> <p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hope this helps.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">- Dan<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> cisco-voip \
<cisco-voip-bounces@puck.nether.net> <b>On Behalf Of </b>ROZA, Ariel<br>
<b>Sent:</b> Tuesday, October 23, 2018 11:52 AM<br>
<b>To:</b> James Andrewartha <jandrewartha@ccgs.wa.edu.au>; \
cisco-voip@puck.nether.net<br> <b>Subject:</b> [EXT] Re: [cisco-voip] How to handle \
expired Phone-VPN-trust, phone-SAST-trust, other certificates<o:p></o:p></p> </div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">My main issue is not about the \
deletion process, but about the purpose and usefulness of each of those certificates. \
Being able to judge if it is good to delete or not certain certificates (even when \
expired).</span><span lang="ES-AR"><o:p></o:p></span></p> <p class="MsoNormal"><span \
style="color:#1F497D"> </span><span lang="ES-AR"><o:p></o:p></span></p> <p \
class="MsoNormal"><span style="color:#1F497D">I have this guide:<br> <a \
href="https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-commun \
ications-manager-callmanager/200199-CUCM-Certificate-Regeneration-Renewal-Pr.htm">http \
s://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-m \
anager-callmanager/200199-CUCM-Certificate-Regeneration-Renewal-Pr.htm</a></span><span \
lang="ES-AR"><o:p></o:p></span></p> <p class="MsoNormal"><span \
style="color:#1F497D"> </span><span lang="ES-AR"><o:p></o:p></span></p> <p \
class="MsoNormal"><span style="color:#1F497D">that gives a description of the purpose \
of each store, but it does not give specifics on why is there a particular \
certificate in a store. Ie. Why is there SERVER2.DER in the phone-vpn-trust \
store? Is this expected? Does a phone contact SERVER2 while using the Phone VPN? Is \
there by default, or someone added, even by mistake?</span><span \
lang="ES-AR"><o:p></o:p></span></p> <p class="MsoNormal"><span \
style="color:#1F497D"> </span><span lang="ES-AR"><o:p></o:p></span></p> <p \
class="MsoNormal"><span style="color:#1F497D">And the expired certs that I have are \
not some that are renewable. All of them are in –trust stores.</span><span \
lang="ES-AR"><o:p></o:p></span></p> <p class="MsoNormal"><span \
style="color:#1F497D"> </span><span lang="ES-AR"><o:p></o:p></span></p> <p \
class="MsoNormal"><span style="color:#1F497D">So I am quite puzzled about \
them.</span><span lang="ES-AR"><o:p></o:p></span></p> <p class="MsoNormal"><span \
style="color:#1F497D"> </span><span lang="ES-AR"><o:p></o:p></span></p> <div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>De:</b> cisco-voip [<a \
href="mailto:cisco-voip-bounces@puck.nether.net">mailto:cisco-voip-bounces@puck.nether.net</a>]
<b>En nombre de </b>James Andrewartha<br>
<b>Enviado el:</b> martes, 23 de octubre de <span lang="ES">2018 12:39 a.m.<br>
<b>Para:</b> <a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br>
<b>Asunto:</b> Re: [cisco-voip] How to handle expired Phone-VPN-trust, \
phone-SAST-trust, other certificates</span><span lang="ES-AR"><o:p></o:p></span></p> \
</div> </div>
<p class="MsoNormal"><span lang="ES-AR"> <o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span lang="ES-AR">And if you have any problems deleting them (I \
had one that just would not go away and gave me alarms for years), just call TAC and \
they'll take you through the SQL to kill them permanently.<br> <br>
On 23/10/18 03:08, NateCCIE wrote:<o:p></o:p></span></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span lang="ES-AR">The expired certs will throw alarms even if \
they have been superseded by newer certs.<o:p></o:p></span></p> <p \
class="MsoNormal"><span lang="ES-AR"> <o:p></o:p></span></p> <p \
class="MsoNormal"><span lang="ES-AR">So during a maintenance window, renew anything \
that is expired, and just delete all the old ones. The newer versions of cucm \
make this easier by being able to sort by expiration date.<o:p></o:p></span></p> <p \
class="MsoNormal"><span lang="ES-AR"> <o:p></o:p></span></p> <p \
class="MsoNormal"><span lang="ES-AR">-Nate<o:p></o:p></span></p> <p \
class="MsoNormal"><span lang="ES-AR"> <o:p></o:p></span></p> <div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span lang="ES-AR">From:</span></b><span lang="ES-AR"> \
cisco-voip <a href="mailto:cisco-voip-bounces@puck.nether.net"><cisco-voip-bounces@puck.nether.net></a>
<b>On Behalf Of </b>ROZA, Ariel<br>
<b>Sent:</b> Monday, October 22, 2018 11:52 AM<br>
<b>To:</b> cisco-voip (<a \
href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a>) <a \
href="mailto:cisco-voip@puck.nether.net"><cisco-voip@puck.nether.net></a><br> \
<b>Subject:</b> [cisco-voip] How to handle expired Phone-VPN-trust, phone-SAST-trust, \
other certificates<o:p></o:p></span></p> </div>
</div>
<p class="MsoNormal"><span lang="ES-AR"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES-AR" style="color:#1F497D">Hi, guys!</span><span \
lang="ES-AR"><o:p></o:p></span></p> <p class="MsoNormal"><span lang="ES-AR" \
style="color:#1F497D"> </span><span lang="ES-AR"><o:p></o:p></span></p> <p \
class="MsoNormal"><span lang="ES-AR" style="color:#1F497D">I have a customer that is \
receiving alarms over some expired certificates, and I would like to know which is \
the best way to handle them.</span><span lang="ES-AR"><o:p></o:p></span></p> <p \
class="MsoNormal"><span lang="ES-AR" style="color:#1F497D">The certs are loaded in \
SERVER1 and all named SERVER2.der, except the CAPF ones.</span><span \
lang="ES-AR"><o:p></o:p></span></p> <p class="MsoNormal"><span lang="ES-AR" \
style="color:#1F497D"><servername>.der in phone-vpn-trust. </span><span \
lang="ES-AR"><o:p></o:p></span></p> <p class="MsoNormal"><span lang="ES-AR" \
style="color:#1F497D"><servername> .der in phone-trust</span><span \
lang="ES-AR"><o:p></o:p></span></p> <p class="MsoNormal"><span lang="ES-AR" \
style="color:#1F497D"><servername>.der in phone-SAST-trust</span><span \
lang="ES-AR"><o:p></o:p></span></p> <p class="MsoNormal"><span lang="ES-AR" \
style="color:#1F497D"><servername>.der in phone-CTL-trust</span><span \
lang="ES-AR"><o:p></o:p></span></p> <p class="MsoNormal"><span lang="ES-AR" \
style="color:#1F497D">And several CAPF-xxxxxx.der in Callmanager-trust</span><span \
lang="ES-AR"><o:p></o:p></span></p> <p class="MsoNormal"><span lang="ES-AR" \
style="color:#1F497D"> </span><span lang="ES-AR"><o:p></o:p></span></p> <p \
class="MsoNormal"><span lang="ES-AR" style="color:#1F497D">So far I have dealt with \
renewing Callmanager, TFTP and TVS cert, but I always kept clear from those other \
certs</span><span lang="ES-AR"><o:p></o:p></span></p> <p class="MsoNormal"><span \
lang="ES-AR" style="color:#1F497D">Shoud I delete them, shoud I keep them, even as \
they are expired and throwing alarms?</span><span lang="ES-AR"><o:p></o:p></span></p> \
<p class="MsoNormal"><span lang="ES-AR" style="color:#1F497D"> </span><span \
lang="ES-AR"><o:p></o:p></span></p> <p class="MsoNormal"><span lang="ES-AR" \
style="color:#1F497D"> </span><span lang="ES-AR"><o:p></o:p></span></p> <p \
class="MsoNormal"><span lang="ES-AR" style="color:#1F497D">Regards.</span><span \
lang="ES-AR"><o:p></o:p></span></p> <p class="MsoNormal"><span lang="ES-AR" \
style="color:#1F497D"> </span><span lang="ES-AR"><o:p></o:p></span></p> <p \
class="MsoNormal"><b><span lang="ES-AR" \
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#E41E26"> </span></b><span \
lang="ES-AR"><o:p></o:p></span></p> <p class="MsoNormal"><b><span lang="ES-AR" \
style="font-family:"Arial",sans-serif;color:#E41E26">Ariel \
Roza</span></b><span lang="ES-AR" \
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#1F497D"> <br>
</span><b><span lang="ES-AR" \
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#3F4243">Collaboration \
Support Engineer </span></b><span lang="ES-AR"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES-AR" \
style="font-size:9.0pt;font-family:"Arial",sans-serif;color:#3F4243">t: \
+54 11 5282-0458 </span><span lang="ES-AR"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES-AR" \
style="font-size:9.0pt;font-family:"Arial",sans-serif;color:#3F4243">c: \
+54 9 11 5017-4417 webex: </span><span lang="ES-AR"><a \
href="https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flogicalis-la.web \
ex.com%2Fjoin%2Fariel.roza&data=02%7C01%7Cariel.roza%40la.logicalis.com%7C42e5247c \
66914b1d315c08d638992622%7C2e3290cb8d404058abe502c4f58b87e3%7C0%7C0%7C6367586277657892 \
67&sdata=cqchqbY98HGTZ4rDIEBWzaoBX2dPJkE8dCnqeu%2BmSXA%3D&reserved=0"><span \
lang="EN-US" style="font-size:9.0pt;font-family:"Arial",sans-serif;color:blu \
e">http://logicalis-la.webex.com/join/ariel.roza</span></a><o:p></o:p></span></p> <p \
class="MsoNormal"><span lang="ES-AR" \
style="font-size:9.0pt;font-family:"Arial",sans-serif;color:#3F4243">Av. \
Belgrano 955 – Piso 20 – CABA – Argentina – \
C1092AAJ</span><span lang="ES-AR"><o:p></o:p></span></p> <p class="MsoNormal"><span \
lang="ES-AR"><a href="https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2F \
www.la.logicalis.com%2F&data=02%7C01%7Cariel.roza%40la.logicalis.com%7C42e5247c669 \
14b1d315c08d638992622%7C2e3290cb8d404058abe502c4f58b87e3%7C0%7C0%7C636758627765789267& \
amp;sdata=gJhPidfXD%2BeH0mg8xm0p1NRM7RmDRZ%2BWZouhlcUEgFE%3D&reserved=0"><span \
lang="EN-US" style="font-size:9.0pt;font-family:"Arial",sans-serif;color:#E41E26">www.la.logicalis.com</span></a><o:p></o:p></span></p>
<p class="MsoNormal"><b><span lang="ES-AR" \
style="font-size:9.0pt;font-family:"Arial",sans-serif;color:#E41E26">_________________________________________________<br>
</span></b><b><span lang="ES-AR" \
style="font-size:9.0pt;font-family:"Arial",sans-serif;color:#3F4243">Business
</span></b><b><span lang="EN-GB" \
style="font-size:9.0pt;font-family:"Arial",sans-serif;color:#3F4243">and \
technology working as one</span></b><b><span lang="EN-GB" \
style="font-size:9.0pt;color:#3F4243"> </span></b><span \
lang="ES-AR"><o:p></o:p></span></p> <p class="MsoNormal"><span lang="ES-AR" \
style="color:#1F497D"><img border="0" width="166" height="40" \
style="width:1.7291in;height:.4166in" id="Imagen_x0020_7" \
src="cid:image001.png@01D46C40.AF7C4250" \
alt="cid:image003.png@01D3894B.346BF840"></span><span \
lang="ES-AR"><o:p></o:p></span></p> <p class="MsoNormal"><span lang="ES-AR" \
style="color:#1F497D"> </span><span lang="ES-AR"><o:p></o:p></span></p> <p \
class="MsoNormal"><span lang="ES-AR" style="color:#1F497D"><img border="0" \
width="331" height="50" style="width:3.4479in;height:.5208in" id="Imagen_x0020_15" \
src="cid:image002.png@01D46C40.AF7C4250" \
alt="cid:image005.png@01D3894B.43930F20"></span><span \
lang="ES-AR"><o:p></o:p></span></p> <p class="MsoNormal"><span lang="ES-AR" \
style="font-size:8.0pt;color:#1F497D"> </span><span \
lang="ES-AR"><o:p></o:p></span></p> <p class="MsoNormal"><!--[if gte vml \
1]><v:shapetype id="_x0000_t75" coordsize="21600,21600" o:spt="75" \
o:preferrelative="t" path="m@4@5l@4@11@9@11@9@5xe" filled="f" stroked="f"> <v:stroke \
joinstyle="miter" /> <v:formulas>
<v:f eqn="if lineDrawn pixelLineWidth 0" />
<v:f eqn="sum @0 1 0" />
<v:f eqn="sum 0 0 @1" />
<v:f eqn="prod @2 1 2" />
<v:f eqn="prod @3 21600 pixelWidth" />
<v:f eqn="prod @3 21600 pixelHeight" />
<v:f eqn="sum @0 0 1" />
<v:f eqn="prod @6 1 2" />
<v:f eqn="prod @7 21600 pixelWidth" />
<v:f eqn="sum @8 21600 0" />
<v:f eqn="prod @7 21600 pixelHeight" />
<v:f eqn="sum @10 21600 0" />
</v:formulas>
<v:path o:extrusionok="f" gradientshapeok="t" o:connecttype="rect" />
<o:lock v:ext="edit" aspectratio="t" />
</v:shapetype><v:shape id="_x0000_s1026" type="#_x0000_t75" alt="" \
style='position:absolute;margin-left:0;margin-top:0;width:57pt;height:21pt;z-index:251 \
658240;mso-wrap-distance-left:0;mso-wrap-distance-top:0;mso-wrap-distance-right:0;mso- \
wrap-distance-bottom:0;mso-position-horizontal:left;mso-position-horizontal-relative:text;mso-position-vertical-relative:line' \
o:allowoverlap="f"> <v:imagedata src="cid:image003.jpg@01D46C40.AF7C4250" \
o:title="image003.jpg@01D46ACF" /> <w:wrap type="square"/>
</v:shape><![endif]--><![if !vml]><img width="76" height="28" \
style="width:.7916in;height:.2916in" src="cid:image003.jpg@01D46C40.AF7C4250" \
align="left" v:shapes="_x0000_s1026"><![endif]><span lang="ES-AR"><a \
href="https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftwitter.com%2FLo \
gicalisLatam&data=02%7C01%7Cariel.roza%40la.logicalis.com%7C42e5247c66914b1d315c08 \
d638992622%7C2e3290cb8d404058abe502c4f58b87e3%7C0%7C0%7C636758627765789267&sdata=S2AHX%2Bxshq4krLr54BNC6j7ih6d%2BvETh2QPhtf4BK7g%3D&reserved=0"><span \
style="font-size:8.0pt;color:blue;text-decoration:none"><img border="0" width="23" \
height="24" style="width:.2395in;height:.25in" id="Imagen_x0020_3" \
src="cid:image004.png@01D46C40.AF7C4250" alt="Descripción: Descripción: Descripción: \
Descripción: Descripción: Descripción: Descripción: Descripción: Descripción: \
Descripción: Descripción: Descripción: Descripción: Descripción: Descripción:
Descripción: tw"></span></a></span><span lang="ES-AR" \
style="font-size:8.0pt;color:#1F497D"> </span><span lang="ES-AR"><a \
href="https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fes-es.facebook.c \
om%2Fpages%2FLogicalis-Latam%2F234648439078&data=02%7C01%7Cariel.roza%40la.logical \
is.com%7C42e5247c66914b1d315c08d638992622%7C2e3290cb8d404058abe502c4f58b87e3%7C0%7C0%7 \
C636758627765789267&sdata=LEgXTk5yp6f2at0cHQ3oAARRsdStH6SZooGkmWZPCuQ%3D&reserved=0"><span \
style="font-size:8.0pt;color:blue;text-decoration:none"><img border="0" width="23" \
height="24" style="width:.2395in;height:.25in" id="Imagen_x0020_4" \
src="cid:image005.png@01D46C40.AF7C4250" alt="Descripción: Descripción: Descripción: \
Descripción: Descripción: Descripción: Descripción: Descripción: Descripción: \
Descripción: Descripción: Descripción: Descripción: Descripción: Descripción:
Descripción: fb"></span></a></span><span lang="ES-AR" \
style="font-size:8.0pt;color:#1F497D"> </span><span lang="ES-AR"><a \
href="https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.youtube.com% \
2Flogicalislatam&data=02%7C01%7Cariel.roza%40la.logicalis.com%7C42e5247c66914b1d31 \
5c08d638992622%7C2e3290cb8d404058abe502c4f58b87e3%7C0%7C0%7C636758627765789267&sdata=zH3Z3qakossmepmjj3PIwFNfVi1zlfEdIhf5OM3stRg%3D&reserved=0"><span \
style="font-size:8.0pt;color:blue;text-decoration:none"><img border="0" width="23" \
height="24" style="width:.2395in;height:.25in" id="Imagen_x0020_5" \
src="cid:image006.png@01D46C40.AF7C4250" alt="Descripción: Descripción: Descripción: \
Descripción: Descripción: Descripción: Descripción: Descripción: Descripción: \
Descripción: Descripción: Descripción: Descripción: Descripción: Descripción:
Descripción: yt"></span></a></span><span lang="ES-AR" \
style="font-size:8.0pt;color:#1F497D"> </span><span \
lang="ES-AR"><o:p></o:p></span></p> <p class="MsoNormal"><span lang="ES-AR" \
style="font-size:8.0pt;color:#1F497D"> </span><span \
lang="ES-AR"><o:p></o:p></span></p> <p class="MsoNormal"><span lang="ES-AR" \
style="font-size:8.0pt;font-family:"Arial",sans-serif;color:#A6A6A6">Logicalis \
Argentina S.A. solo puede ser obligado por sus representantes legales conforme los \
límites establecidos en el acto constitutivo y la legislación en vigor. </span><span \
lang="ES-AR"><o:p></o:p></span></p> <p class="MsoNormal"><span lang="ES-AR" \
style="font-size:8.0pt;font-family:"Arial",sans-serif;color:#A6A6A6">El \
contenido del presente correo electrónico e inclusive sus anexos contienen \
información confidencial. </span><span lang="ES-AR"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES-AR" \
style="font-size:8.0pt;font-family:"Arial",sans-serif;color:#A6A6A6">El \
mismo no puede ser divulgado y/o utilizado por cualquiera otro distinto al \
destinatario, ni puede ser copiado de cualquier forma.</span><span \
lang="ES-AR"><o:p></o:p></span></p> <p class="MsoNormal"><span \
lang="ES-AR"> <o:p></o:p></span></p> <p class="MsoNormal"><span lang="ES-AR" \
style="font-size:12.0pt;font-family:"Times New Roman",serif"><br> <br>
<br>
<br>
</span><span lang="ES-AR"><o:p></o:p></span></p>
<pre><span lang="ES-AR">_______________________________________________<o:p></o:p></span></pre>
<pre><span lang="ES-AR">cisco-voip mailing list<o:p></o:p></span></pre>
<pre><span lang="ES-AR"><a \
href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><o:p></o:p></span></pre>
<pre><span lang="ES-AR"><a \
href="https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpuck.nether.net \
%2Fmailman%2Flistinfo%2Fcisco-voip&data=02%7C01%7Cariel.roza%40la.logicalis.com%7C \
42e5247c66914b1d315c08d638992622%7C2e3290cb8d404058abe502c4f58b87e3%7C0%7C0%7C63675862 \
7765789267&sdata=dMXCZhW5XIfGfzcarRm3%2BCaMeXKCYiMCn1lxmHkI2u8%3D&reserved=0">https://puck.nether.net/mailman/listinfo/cisco-voip</a><o:p></o:p></span></pre>
</blockquote>
<p><span lang="ES-AR"> <o:p></o:p></span></p>
<pre><span lang="ES-AR">-- <o:p></o:p></span></pre>
<pre><span lang="ES-AR">James Andrewartha<o:p></o:p></span></pre>
<pre><span lang="ES-AR">Network & Projects Engineer<o:p></o:p></span></pre>
<pre><span lang="ES-AR">Christ Church Grammar School<o:p></o:p></span></pre>
<pre><span lang="ES-AR">Claremont, Western Australia<o:p></o:p></span></pre>
<pre><span lang="ES-AR">Ph. (08) 9442 1757<o:p></o:p></span></pre>
<pre><span lang="ES-AR">Mob. 0424 160 877<o:p></o:p></span></pre>
</div>
</body>
</html>
["image001.png" (image/png)]
["image002.png" (image/png)]
["image003.jpg" (image/jpeg)]
["image004.png" (image/png)]
["image005.png" (image/png)]
["image006.png" (image/png)]
_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
--===============1962918897092558145==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic