cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3477
Views
0
Helpful
10
Replies

Signing UCCX 11.6 signing tomcat ECDSA via Windows server 2008 R2 CA

Omar Gamil
Level 1
Level 1

Dears,

 

As per the Understand ECDSA certificates in an UCCX Solution guide, tomcat ECDSA should be signed with external CA by EC (best practice) or signing by RSA (in this case email-chat gadget won't load and SocialMiner webpage does not load otherwise cop file which I cannot reach by the way) . I want to know the steps for signing the tomcat ECDSA by CE or RSA via Windows server 2008 R2 CA.

 

Thanks in advance

Omar

10 Replies 10

Yes, Already checked the document and the other link.. In our case there is no chance to change the CA template to CE or the key length of RSA. So we had to check the second option which is the COP file to disable offering  tomcat-ECDSA. if you has the COP file link, please provide it to me.

 

Thanks in Advance

The document link provided on ECDSA certs is good, but the links to the cop file to disable it are broken.  They link to a blank page. 

Yeah I have this EXACT same issue. I did the process and 11.6(1) - old COP for disable of ECDSA doesn't apply to 11.6(1), did this whole walkthrough and install the cert - takes the cert - can't get the COP to disable SocialMiner (we don't use it anyways) and Live Data doesn't work still. The COP file they reference only disables 11.5(1) from using ECDSA.

 

These documents are highly lacking in steps, clarity and detail. The original Cisco document where it is someone cutting and pasting a Cisco-internal flowchart is a poor way to create documentation. This needs to be flushed out a bit more as I am seeing this thread come up a bunch of times in here.

Even my server admin commented in how vague it was and how a 3rd party Cisco-related site is the one giving the meat and potato steps. Haha!

This is what TAC said about the issue:

 

The ECDSA cert caused issues for Live Data in 11.5(1) and the COP file was more of a stop-gap measure to get its use turned off quickly and easily.  This fix was included in 11.5(1)SU1, at which point the separate COP file for that purpose was no longer needed and removed from cisco.com.  11.6(2) also is not affected, so you should be fine.

Sounds like I need to go to 11.6(2) from 11.6(1) rather than spend more time on this cert. Haha

Did you get a resolution? I was about to purchase another set of certs but I have a TAC engineer saying that Tomcat-ECDSA is not supported in 11.6. We're on 11.6(1).

The issue resolved by neglecting Tomcat-ECDSA certificate at all and sign only the normal tomcat certificate.

 

 

The issue resolved by neglecting Tomcat-ECDSA certificate at all and sign only the normal tomcat certificate.

 

 

Thanks for confirming. I will just let the ECDSA certificate expire then.