Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1732
Views
0
Helpful
1
Replies

Certificate Extensions required for various UC certs

Matthew Hall
Level 4
Level 4

‎08-10-2014 07:34 AM - edited ‎03-18-2019 11:24 AM

I need clarification on the actual extensions required for each certificate.   I no longer trust the Cisco documentation.

The OS guide for cucm and im&p states:

 

 • The CAPF CSR uses the following extensions:X509v3 extensions:
 X509v3 Key Usage:
 • Digital Signature, Key Encipherment, Certificate Sign
 X509v3 Extended Key Usage: 
 • TLS Web Server Authentication, IPsec End System
 
 • The CSRs for Cisco Unified Communications Manager, Tomcat, and IPsec use the following extensions:X509v3 extensions:
X509v3 Key Usage:
 • Digital Signature, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign
X509v3 Extended Key Usage:
 • TLS Web Server Authentication, TLS Web Client Authentication, IPsec End System

 

Readhing what each of these does...I highly doubt that this is accurate.  First of all, none of Cisco's guides show using anything but Digtial Signature and Key Encipherment for the tomcat cert.  Not to mention that you can't even create such a template as above with Windows CA servers without building a custom inf and importing it.....I really doubt that there are many users that have ever done that for their cucm certs.

 

CUC OS guide states:

•The CAPF CSR uses the following extensions:

 X509v3 extensions:
 X509v3 Key Usage:
 Digital Signature, Certificate Sign
 X509v3 Extended Key Usage:
 TLS Web Server Authentication, IPSec End System


•The CSRs for Cisco Unified Communications Manager, Tomcat, and IPSec use the following extensions:

 X509v3 Key Usage:
 Digital Signature, Key Encipherment, Data Encipherment, Key Agreement
 X509v3 Extended Key Usage:
 TLS Web Server Authentication, TLS Web Client Authentication, IPSec End System

 

Clearly different requirements for the tomcat cert than in CUCM.  And again bizarre things like Key Encipherment and Key Agreement..which are mutually exclusive in Microsoft CA templates.  I simply cannot beleive these are accurate.

My hypothesis is that the CUCM, Tomcat and IPSec certs all need different x509v3 usage templates...but Cisco hasn't bothered to break them out.   Can we please get accurate confirmation of what is needed for these certs???  Along with the IOS certs for secure SIP and secure conferencing...clear requirements for VCS would be nice.  These seem a bit vauge as well.  I think we are at the point where a clear and concise PKI doc for UC may be needed...or at least a very detailed chapter the SRND.

 

Thanks

8 people had this problem
Labels:
0 Helpful
1 Reply 1

HARIS_HUSSAIN
VIP Alumni
VIP Alumni

‎12-14-2019 11:46 PM

Do we have any updated information on this now?
Can Any One Help Here.

I can see below video which says Key Usage must match, But that still leaves us with Question of Key Encipherment and Key Agreement..beign mutually exclusive in Microsoft CA templates.

And no infomation about certificte signing attribute which is seen in the Self Signed Certs.



https://www.youtube.com/watch?v=FIqh3rSIUmA
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents