05-31-2017 03:27 PM - edited 03-17-2019 10:28 AM
Hi -
We are having trouble issuing a signing certificate for CAPF from a Microsoft PKI environment. We have the environment built with an offline root CA which has the path length constraint set to 1. We have an enterprise subordinate CA, which would then have it's path length naturally set to zero. CAPF wants a signing certificate so it has to be issued from the root - because of the path length the enterprise subordinate cannot do it.
According to http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/cucos/9_1_1/CUCM_BK_C5D96C80_00_cucm-os-admin-guide-91/CUCM_BK_C5D96C80_00_cucm-os-admin-guide-91_chapter_0110.html - the requirements for a CAPF certificate are:
X509v3 extensions:X509v3 Key Usage:
Digital Signature, Key Encipherment, Certificate Sign
X509v3 Extended Key Usage:
TLS Web Server Authentication, IPsec End System
If we generate the CSR from the Cisco environment and then try to issue it on a non-path constrained enterprise CA and manually configure the template to include the above x509 extensions it works. However, for security reasons we do not want to allow our online subordinate CA to issue signing certificates.
To issue a signing cert, we want it issued from the root CA. Because our root CA is a standalone root, it does not include Microsoft templates, so it will decide on which x509 extensions to issue from the request. However, the CSR from the Cisco environment only is requesting the following extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Key Usage:
Digital Signature, Certificate Sign
So, the actual CSR issued from CUCM is missing the IPSec End System extension on the request.
Does CAPF require this extension? Is the documentation incorrect, or are the CSRs being created incorrectly? Has anyone encountered this and how did you get around it?
Thanks in advance.
06-20-2018 09:16 AM
Hello Bill,
I'm not sure if you ever got this figured out, but I actually presented a similar question to TAC yesterday on an 802.1X issue we're trying to resolve. I found two different Cisco sources that show what CAPF key usage/extended key usage need to look like, but the second source has two different combinations/options. Please see below.
CAPF Certificate Signed by CA for CUCM
CAPF CSR Attributes:
If your certificate authority does not support the ExtensionRequest mechanism, you must enable the X.509 extensions, as follows:
The CAPF CSR uses the following extensions:
This same document lists these as CSR Key Usage Extensions for CAPF: **Table 1 doesn’t have a Y on the IPSec End System**
At this point, we're just waiting to see it the cert needs the IPSec End extended key usage.
Thanks,
C.A.Q
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide