Erick, You can add a 2nd cert to the VPN Gateway configuration after you add it as a VPN-Trust.
So what you want to do is create a new trustpoint on the ASA with the new certificate, upload that to CUCM as a phone-vpn-trust, and then add it as a 2nd cert to the VPN Gateway. You'll then want to make sure all the VPN phones get reset so they get the new certificate as well. After all the VPN phones have both certificates, you can then change SSL on the ASA to bind to the other trustpoint and start using the new certificate. If you follow that method, you want have to bring any of the VPN phones back in as long as they're connected. The main problem with this method is some people have VPN phones that they rarely connect so you'll need to make sure everyone connects their phones to get the new certificate before you make the change on the ASA. Brian From: cisco-voip [mailto:cisco-voip-boun...@puck.nether.net] On Behalf Of Erick Wellnitz Sent: Tuesday, January 28, 2014 10:20 AM To: cisco-voip Subject: [cisco-voip] cisco phone-vpn cert expiration I have a situation I'm sure isn't unique. What happens when I upload a new phone-vpn cert to the CUCM to replace an expired/expiring one? Are vpn phones going to freak out and stop authenticating to the VPN or should everything be smooth sailing?
_______________________________________________ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
