How to - Removing CTL and ITL from 7900-series phones via SSH

Which Cisco UC engineer does not know the challenge when he runs a CUCM in mixed mode:

How to remove a Certificate Trust List on a phone nobody has physical access to during a CUCM migration?

The normal way like using the same security tokens on old and new CUCM is not possible. Sending somebody on site during the migration is also not possible. These limitations raised the need for an alternate solution.

After some testing, I decided to create a small Python script. The final script connects via SSH to the phone and uses the test key functions of the Cisco SIP phone debug-mode to press the required phone buttons via command line interface.

Main requirement is to enable SSH for phone on the CUCM and to configure a username and password for the SSH access.

The following script is based on Python 3.4 and uses as additionally Paramiko for the possibility to connect via SSH to the Cisco IP phones. Besides Paramiko also the time class is required to implement some delay between the different commands.

    import paramiko

    import time

The hosts variable defines the IP addresses of the Cisco IP Phones to which the script should connect to.

          phones = [""]

The function delete_CTL establishes after the start directly a SSH connection to the phone. 
    def delete_CTL(host):
     client = paramiko.SSHClient()
     client.connect(hostname=host, username='admin',         
       password='12345', port=22, 

The user credentials are at the moment hardcoded. In this example I used username='admin' and password='12345' these parameters could be easily adjusted.

     client_shell = client.invoke_shell()

After the SSH connection is running an additional login is required to access the debug-modus of the phone. To access the debug modus you have to use the username 'debug' and the password 'debug'.


In the debug modus you can now start the test modus to send key pressures via SSH to the phone. This function could be started with the command test open.

     client_shell.send("test open\n")
     client_shell.send("test key set\n")
     time.sleep( 2)
     client_shell.send("test key **#\n")
     client_shell.send("test key 4\n")
     client_shell.send("test key 5\n")
     client_shell.send("test key 1\n")
     client_shell.send("test key soft4\n")
     client_shell.send("test key soft2\n"
     client_shell.send("test close\n")
     return output.decode('ascii')

The main function that calls just the delete_CTL function for each IP included in the phones variable.

   if __name__ == "__main__":
      for i in hosts:

The actual version of the script is based on a 7965 phone and needs only minimal adjustments to work also with other versions of the 7900- series. The required debug mode for sending key pressures via SSH is only available to the SIP fimware and not available for the SCCP version.

I'm no Pyhton expert, so every advise for improvement is very welecome :-)


  1. please help me to do with sccp phone . test key command not available in my 7911 sccp phone.



  2. Great work. i am also try some of the stuff like this. if interested lets collaborate. you can reach via email :- chikkiv at gmail dot com

  3. Thanks,liked the way you expressed your views in this post. weatherproof hotline emergency telephone


Post a Comment

Popular posts from this blog

How to - Install Python and Paramiko in offline Windows environment (Optimized Method)

How to - Install Python 3.4 and Paramiko in offline Windows environment