Re: CUCM Elliptic Curve (EC) Certificate - public CA Support

MSchwarzmann · ‎10-01-2020

Hi Community,

we want to install a public CA signed Elliptic Curve (EC) certificate for 'callmanger-process' on our CUCM.

Because we are struggling with two public CA providers to geht the correct (requested) key usages set, I want to ask you guys if you can give me some feedback with which public CA provider you enrolled your EC certificate?

Some background information:

based on documentation and validation with cisco TAC/Dev's, the following keyUsages are needed on this EC certificate: Digital Signature, Key Encipherment, Data Encipherment.

But as stated above, DigiCert and Sectigo aren't able to set the "Key Encipherment" extension at EC certificates.

So I am now searching for a public CA which can set all the requested KeyUsages to a EC certificate.

Thanks in advance!

Best Regards,

markus

Mohammed al Baqari · ‎10-02-2020

The simplest approach is to download the EC cert from cucm which was self
signed. Look at the key usage and extended key usage of the cert and make
sure that they are present in the new one (ca signed). This will guarantee
it to work properly.

***** please remember to rate useful posts

MSchwarzmann · ‎10-02-2020

Hi Mohammed,

thanks for your input. But the question is not which key usages do I need, rather than which CA is able to set this required Key Usages (Digital Signature, Key Encipherment, Data Encipherment) to an EC certificate.

Mohammed al Baqari · ‎10-02-2020

Hi,

May be I wasn't very clear. My point is confirm whether these are required
in EC or not before looking for CA. They might be required for RSA but not
EC. I know you confirmed it with TAC but cross check from actual cert in
cucm

***** please remember to rate useful posts

MSchwarzmann · ‎10-02-2020

Hi!

thanks again. we checked on that too.
so based on EC self-signed, clarification with TAC and validation with BU/Devs - we know what's required. just looking for a CA