Over the years I've seen the CAPF Report in CUCM list incorrect certificate information quite a few times, which is awkward if you're using an LSC for VPN or .1x authentication & trying to report on incorrect or expired certificates.
The phone LSC scraper does a dynamic audit of certificates installed on phones by leveraging the AXL & RIS APIs. First it pulls list of SEP devices from AXL API, then uses this list to retrieve IP addresses of registered phones via the RIS API. Then it connects via HTTPS to each IP address & outputs the certificate subject & expiry date.
Configuration is taken from the same JSON files as the DN recording checker uses. However note that the application user requires Standard AXL API Access, Standard RealtimeAndTraceCollection & Standard Serviceability roles.
GitHub repo: https://github.com/Chris-P-15B/Voice-Automation
Example output:
python Phone_LSC_Scraper.py cucm-emea.json
Password:
160 SEP devices found in configuration.
SEP0004F2EBC0FE, 10.0.220.131, unable to connect.
SEP000832AA702F, 10.0.216.51, certificate subject {'serialNumber': 'PID:CP-8865 SN:FCH1136EABC', 'C': 'US', 'ST': 'NY', 'L': 'Albany', 'O': 'A Business', 'OU': 'IT Support', 'CN': 'CP-8865-SEP000832AA702F'}, expires 2026-10-07 11:14:06.
SEP000832AAAB7E, 10.0.216.134, certificate subject {'serialNumber': 'PID:CP-8865 SN:FCH1138DDEF', 'C': 'US', 'ST': 'NY', 'L': 'Albany', 'O': 'A Business', 'OU': 'IT Support', 'CN': 'CP-8865-SEP000832AAAB7E'}, expires 2026-10-07 11:14:09.
Speaking of the DN recording checker, that's been updated to include a column that describes the config issues found more clearly. It's also located in the Voice-Automation repo, along with instructions on creating the JSON configuration files.