As per the Understand ECDSA certificates in an UCCX Solution guide, tomcat ECDSA should be signed with external CA by EC (best practice) or signing by RSA (in this case email-chat gadget won't load and SocialMiner webpage does not load otherwise cop file which I cannot reach by the way) . I want to know the steps for signing the tomcat ECDSA by CE or RSA via Windows server 2008 R2 CA.
Thanks in advance
Did you review this doc:
here is another write up with MSFT CA signing steps:
Yes, Already checked the document and the other link.. In our case there is no chance to change the CA template to CE or the key length of RSA. So we had to check the second option which is the COP file to disable offering tomcat-ECDSA. if you has the COP file link, please provide it to me.
Thanks in Advance
The document link provided on ECDSA certs is good, but the links to the cop file to disable it are broken. They link to a blank page.
Yeah I have this EXACT same issue. I did the process and 11.6(1) - old COP for disable of ECDSA doesn't apply to 11.6(1), did this whole walkthrough and install the cert - takes the cert - can't get the COP to disable SocialMiner (we don't use it anyways) and Live Data doesn't work still. The COP file they reference only disables 11.5(1) from using ECDSA.
These documents are highly lacking in steps, clarity and detail. The original Cisco document where it is someone cutting and pasting a Cisco-internal flowchart is a poor way to create documentation. This needs to be flushed out a bit more as I am seeing this thread come up a bunch of times in here.
Even my server admin commented in how vague it was and how a 3rd party Cisco-related site is the one giving the meat and potato steps. Haha!
This is what TAC said about the issue:
The ECDSA cert caused issues for Live Data in 11.5(1) and the COP file was more of a stop-gap measure to get its use turned off quickly and easily. This fix was included in 11.5(1)SU1, at which point the separate COP file for that purpose was no longer needed and removed from cisco.com. 11.6(2) also is not affected, so you should be fine.
Did you get a resolution? I was about to purchase another set of certs but I have a TAC engineer saying that Tomcat-ECDSA is not supported in 11.6. We're on 11.6(1).