cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1249
Views
0
Helpful
1
Replies
Highlighted
Enthusiast

Certificate Extensions required for various UC certs

I need clarification on the actual extensions required for each certificate.   I no longer trust the Cisco documentation.

The OS guide for cucm and im&p states:

 

 • The CAPF CSR uses the following extensions:X509v3 extensions:
 X509v3 Key Usage:
 • Digital Signature, Key Encipherment, Certificate Sign
 X509v3 Extended Key Usage: 
 • TLS Web Server Authentication, IPsec End System
 
 • The CSRs for Cisco Unified Communications Manager, Tomcat, and IPsec use the following extensions:X509v3 extensions:
X509v3 Key Usage:
 • Digital Signature, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign
X509v3 Extended Key Usage:
 • TLS Web Server Authentication, TLS Web Client Authentication, IPsec End System

 

Readhing what each of these does...I highly doubt that this is accurate.  First of all, none of Cisco's guides show using anything but Digtial Signature and Key Encipherment for the tomcat cert.  Not to mention that you can't even create such a template as above with Windows CA servers without building a custom inf and importing it.....I really doubt that there are many users that have ever done that for their cucm certs.

 

CUC OS guide states:

•The CAPF CSR uses the following extensions:

 X509v3 extensions:
 X509v3 Key Usage:
 Digital Signature, Certificate Sign
 X509v3 Extended Key Usage:
 TLS Web Server Authentication, IPSec End System


•The CSRs for Cisco Unified Communications Manager, Tomcat, and IPSec use the following extensions:

 X509v3 Key Usage:
 Digital Signature, Key Encipherment, Data Encipherment, Key Agreement
 X509v3 Extended Key Usage:
 TLS Web Server Authentication, TLS Web Client Authentication, IPSec End System

 

Clearly different requirements for the tomcat cert than in CUCM.  And again bizarre things like Key Encipherment and Key Agreement..which are mutually exclusive in Microsoft CA templates.  I simply cannot beleive these are accurate.

My hypothesis is that the CUCM, Tomcat and IPSec certs all need different x509v3 usage templates...but Cisco hasn't bothered to break them out.   Can we please get accurate confirmation of what is needed for these certs???  Along with the IOS certs for secure SIP and secure conferencing...clear requirements for VCS would be nice.  These seem a bit vauge as well.  I think we are at the point where a clear and concise PKI doc for UC may be needed...or at least a very detailed chapter the SRND.

 

Thanks

1 REPLY 1
Highlighted
Rising star

Do we have any updated information on this now?
Can Any One Help Here.

I can see below video which says Key Usage must match, But that still leaves us with Question of Key Encipherment and Key Agreement..beign mutually exclusive in Microsoft CA templates.

And no infomation about certificte signing attribute which is seen in the Self Signed Certs.



https://www.youtube.com/watch?v=FIqh3rSIUmA
Content for Community-Ad