CM Identity Cert

[wpetilli]

After migrating to CM 8.x we had to provide identity certificates for CM and the remote 8300 LSPs. These were cut from our internal PKI. These are expiring in the next few weeks. The 8300 LSPs were no issue to add the new certs. What is the process to do the duplex servers? Do the primary first? Does the primary auto apply to the standby or apply to both?

 

[kyle555]

Do each. I thought they replicate, but I don't think they actually do.

In 7.x you needed a reset system 4 to apply, not so in 8.x AFAIK.

Remind me to lab it out tomorrow.

 

[bignose21]

when we do it there is a separate cert for each server so you do each in turn, don't think it matters which way round, no restart is required.

 

[wpetilli]

Thanks. Each LSP has their own identity cert. We use 1 cert for the duplex and ess and have the server names in the SAN.

 

[wpetilli]

Interestingly, I applied the updated cert to the standby server and it did a reset. I thought when I did the primary I'd experience an interchange. There was no interchange, but it did look like CM reset. No issues, just what I observed.