08-10-2014 07:34 AM - edited 03-18-2019 11:24 AM
I need clarification on the actual extensions required for each certificate. I no longer trust the Cisco documentation.
The OS guide for cucm and im&p states:
Readhing what each of these does...I highly doubt that this is accurate. First of all, none of Cisco's guides show using anything but Digtial Signature and Key Encipherment for the tomcat cert. Not to mention that you can't even create such a template as above with Windows CA servers without building a custom inf and importing it.....I really doubt that there are many users that have ever done that for their cucm certs.
CUC OS guide states:
•The CAPF CSR uses the following extensions:
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Certificate Sign
X509v3 Extended Key Usage:
TLS Web Server Authentication, IPSec End System
•The CSRs for Cisco Unified Communications Manager, Tomcat, and IPSec use the following extensions:
X509v3 Key Usage:
Digital Signature, Key Encipherment, Data Encipherment, Key Agreement
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication, IPSec End System
Clearly different requirements for the tomcat cert than in CUCM. And again bizarre things like Key Encipherment and Key Agreement..which are mutually exclusive in Microsoft CA templates. I simply cannot beleive these are accurate.
My hypothesis is that the CUCM, Tomcat and IPSec certs all need different x509v3 usage templates...but Cisco hasn't bothered to break them out. Can we please get accurate confirmation of what is needed for these certs??? Along with the IOS certs for secure SIP and secure conferencing...clear requirements for VCS would be nice. These seem a bit vauge as well. I think we are at the point where a clear and concise PKI doc for UC may be needed...or at least a very detailed chapter the SRND.
Thanks
12-14-2019 11:46 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide