For one of our customer we noticed several RTMT SyslogSeverityMatchFound alerts generated every few minutes for Certificates expiration. The alerts I was getting were as follows:
Feb 15 16:00:00, CCM-PUB, Emergency, Cisco Certificate Monitor, : 8947: Feb 15 16:00:00.57 UTC : %CCM_UNKNOWN-CERT-0-CertExpiryEmergency: Certificate Expiry EMERGENCY_ALARM Message:Certificate expiration Notification. Certificate name:tomcat Unit:tomcat Type:own-cert Expiration:Wed Mar 3 08:16:58:000 GMT 2010 Cluster ID: Node ID:CCM-PUB, 42
Feb 15 16:00:00, CCM-PUB, Emergency, Cisco Certificate Monitor, : 8948: Feb 15 16:00:00.57 UTC : %CCM_UNKNOWN-CERT-0-CertExpiryEmergency: Certificate Expiry EMERGENCY_ALARM Message:Certificate expiration Notification. Certificate name:CallManager Unit:CallManager Type:own-cert Expiration:Thu Mar 4 08:41:45:00 Cluster ID: Node ID:CCM-PUB, 43
Feb 15 16:00:00, CCM-PUB, Emergency, Cisco Certificate Monitor, : 8949: Feb 15 16:00:00.58 UTC : %CCM_UNKNOWN-CERT-0-CertExpiryEmergency: Certificate Expiry EMERGENCY_ALARM Message:Certificate expiration Notification. Certificate name:CAPF Unit:CAPF Type:own-cert Expiration:Thu Mar 4 08:41:46:000 GMT 2010 / T Cluster ID: Node ID:CCM-PUB, 44
Feb 15 16:00:00, CCM-PUB, Emergency, Cisco Certificate Monitor, : 8950: Feb 15 16:00:00.58 UTC : %CCM_UNKNOWN-CERT-0-CertExpiryEmergency: Certificate Expiry EMERGENCY_ALARM Message:Certificate expiration Notification. Certificate name:CAPF-e00e8760 Unit:CallManager-trust Type:trust-cert Expiration:Thu Mar 4 0 Cluster ID: Node ID:CCM-PUB, 45
Feb 15 16:00:00, CCM-PUB, Emergency, Cisco Certificate Monitor, : 8951: Feb 15 16:00:00.59 UTC : %CCM_UNKNOWN-CERT-0-CertExpiryEmergency: Certificate Expiry EMERG
These alerts are usually thrown if the certificates at Call manager are about to expire or expired.
I went into OS Admin and checked the status of all certificates:
Then I went into each of them to check the ‘Not After’ date:
The ones which were expired, I just regenerated them:
This stopped all RTMT alerts.
You can also regenerate certificates from CLI:
admin: set cert regen tomcat
Hello,
I am having the same issue. I regenerated the certificates of type cert, but the certificates of type trust-certs don’t have an option for regeneration. A specialist from cisco TAC suggested to delete the certificates, and they will be regenerated. Do I have to restart any service for this to happen?
Thanks,
Ibrahim
I don’t think there is any need to restart a service.
Thanks
should i wait unitl after hours to delete the certificates ?
thanks
CJ
You can do it during production hours but I would recommend for a maintenance window if you can arrange one.
Ibrahim, Did you do this? and did they just regenerate after you deleted?
Thanks, Neil