Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1028
Views
0
Helpful
1
Replies

Problems with CAPF Certificate Extended Key Usage

billjarrett
Level 1
Level 1

‎05-31-2017 03:27 PM - edited ‎03-17-2019 10:28 AM

Hi - 

  We are having trouble issuing a signing certificate for CAPF from a Microsoft PKI environment. We have the environment built with an offline root CA which has the path length constraint set to 1. We have an enterprise subordinate CA, which would then have it's path length naturally set to zero. CAPF wants a signing certificate so it has to be issued from the root - because of the path length the enterprise subordinate cannot do it. 

  According to http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/cucos/9_1_1/CUCM_BK_C5D96C80_00_cucm-os-admin-guide-91/CUCM_BK_C5D96C80_00_cucm-os-admin-guide-91_chapter_0110.html - the requirements for a CAPF certificate are:

X509v3 extensions:X509v3 Key Usage:
Digital Signature, Key Encipherment, Certificate Sign
X509v3 Extended Key Usage:
TLS Web Server Authentication, IPsec End System

  If we generate the CSR from the Cisco environment and then try to issue it on a non-path constrained enterprise CA and manually configure the template to include the above x509 extensions it works. However, for security reasons we do not want to allow our online subordinate CA to issue signing certificates. 

  To issue a signing cert, we want it issued from the root CA. Because our root CA is a standalone root, it does not include Microsoft templates, so it will decide on which x509 extensions to issue from the request. However, the CSR from the Cisco environment only is requesting the following extensions:

X509v3 Extended Key Usage:

TLS Web Server Authentication

X509v3 Key Usage:
Digital Signature, Certificate Sign

So, the actual CSR issued from CUCM is missing the IPSec End System extension on the request.

Does CAPF require this extension? Is the documentation incorrect, or are the CSRs being created incorrectly? Has anyone encountered this and how did you get around it?

Thanks in advance.

1 person had this problem
Labels:
0 Helpful
1 Reply 1

CAQ
Level 1
Level 1

‎06-20-2018 09:16 AM

Hello Bill,

 

I'm not sure if you ever got this figured out, but I actually presented a similar question to TAC yesterday on an 802.1X issue we're trying to resolve. I found two different Cisco sources that show what CAPF key usage/extended key usage need to look like, but the second source has two different combinations/options. Please see below.

 

CAPF Certificate Signed by CA for CUCM

CAPF CSR Attributes:

  • X509v3 Extended Key Usage: TLS Web Server Authentication, IPSec End System
  • X509v3 Key Usage: Digital Signature, Certificate Sign

 

Manage Certificates

If your certificate authority does not support the ExtensionRequest mechanism, you must enable the X.509 extensions, as follows:

The CAPF CSR uses the following extensions:

  • X509v3 Extended Key Usage: TLS Web Server Authentication, IPSec End System
  • X509v3 Key Usage: Digital Signature, Certificate Sign

This same document lists these as CSR Key Usage Extensions for CAPF: **Table 1 doesn’t have a Y on the IPSec End System**


CAPF_Table1.jpg

 

 

 

 

 

 

At this point, we're just waiting to see it the cert needs the IPSec End extended key usage.

 

Thanks,

 

C.A.Q

0 Helpful
Customers Also Viewed These Support Documents