thanks for the update Matt, maybe add a screenshot of how you did this for future reference

Hello Jonathan,

 

This is my ccnp lab (not production), I signed it because the option was there to sign it.

 

Is there an advantage to not having a CA signed CAPF ?

 

Regards,

Mat

Ok, lab is a different story. If there was a production _requirement_ I was eager to hear what it was.

Here is my "why not" answer, if this was production: On the topic of CUCM crypto-anything my advice is to not add complexity or deviate from the product default that Cisco tested unless you have to. Some of these features aren't used all that often; your chance of hitting a defect is not small. For example, phones can only store ITL/CTL files less than 64KB. The CA adds data/size to a certificate (e.g. the CA's public key signature, CRL/OCSP, etc.) when signing it.

There are other certificates (e.g. TVS or ITLrecovery) that shouldn't be CA-signed since there is never a benefit gained from doing so. Everything the CA adds to the cert can alter the way clients or the server itself handles it. For example, if it adds a CRL/OCSP URL, will clients query it? How will they react to a failure/timeout of that CRL/OCSP? I suspect the way physical phones, which themselves vary in code bases over the generations, will differ in some cases to soft clients such as Jabber. This is especially true when it comes to key/hash length/complexity.

Lastly, InfoSec may not like this from a governance perspective since CAPF lacks a certificate revocation mechanism and making it a subordinate CA extends the trust chain.

Many thanks for your reply Jonathan, I will keep in mind your comments when working on prod environments and share your comments with my team :)