cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5069
Views
15
Helpful
10
Replies

Sigining LSCs with the CAPF

Sebastien D.
Level 1
Level 1

TL;DR

Can the CallManager's CAPF sign Locally Significant Certificates (and include the certificate chain in the LSC)?

Background

Equipment

I have basic telephony set up in a lab environment I have access to at work (none of this is production). The purpose of all this is purely self-developmental. Here is the equipment I am using. The following services are virtualized on ESXI 6.5.

CallManager 11.5(1)SU4

IM and Presence 11.5(1)SU4

Prime License Manager 11.5(1)SU5 (just to enable encryption on the CUCM)

Windows Server 2016

Network Devices: 3750 w/ POE and IOS 15.0.2

Clients: 7945G IP Phone and Windows 10 Laptop running Jabber 12.5(1)

Current State

The IM&P database is synced with the CUCM and Jabber Softphones and 7945Gs are able to register and call each other with no issue. The CUCM is LDAP synchronized to the Windows Server 2016 Active Directory, and all users are associated to a working Jabber Softphone. The Windows Server Domain Controller is also running Certificate Authority Services and has signed and issued the appropriate certificates to the CUCM (CallManager, tomcat, and CAPF) as well as being added as a trusted root CA for those services. Then I updated the CTL and reset all IP Phones:

admin:utils ctl update CTLFile

I wanted to enable SRTP and secure the communications from end-device to end-device so I enabled mixed mode using:

admin:utils ctl set-cluster mixed-mode

I then used the CAPF to issue LSCs to the end devices and configured a secure phone profile.

phone settings.PNG

secure_phone_profile.PNG

The following images show a that a softphone and 7945G were able to establish a secure channel (lock icon).

secured_call.PNGsecure_phone_photo.png

Super! Everything is working great, and I'm learning a ton. But...

The Next Step

My original configuration for the 3750s was to authenticate attached devices with 802.1x. Windows NPS is the acting RADIUS server and workstations/users are authenticated with auto-enrolled certificates over EAP-TLS. These devices (Windows laptops) authenticate over 802.1x without a hitch and the certificate exchange has been observed through wireshark on a SPANed port on the 3750. The problem I'm running into now is that the LSC issued by the CAPF to the 7945 is unsigned and does not have the attributes to support a certificate chain. Without the chain, Windows NPS does not trust the certificate received on EAP-TLS and rejects network access.

event_viewer.PNG

View from the 3750's console:

failed_dot1x.PNG

Here is the LSC I retrieved from the CUCM:

lsc_cert1.PNGlsc_cert2.PNG

As you can see, it lacks the attributes supporting a certificate chain, which is why NPS doesn't see its own CA and therefore rejects it.

To work around this, I used the following guide to sign the LSC as a "Third-Party." Third-Party CA-Signed LSCs

Here is the LSC now after being signed by the CA, and with the right attributes to retrieve the chain:

lsc_signed1.PNGlsc_signed2.PNG

Now the 7945G authenticates successfully:

event_viewer_success.PNG

While this "works," the solution is hardly scaleable. It was a tedious process moving the certificate around from CUCM Web to CUCM CLI to TFTP server to CA, then back to TFTP and then to CUCM CLI then finally to the phone again. Ideally, I see the CAPF acting a subordinate CA, issuing and signing certificates to its user and devices registered on the CUCM. That was the reason I followed this guide to sign the CAPF certificate with my CA: CA-Signed CAPF.

Viewed in the CA Services panel

issued_to_capf.PNG

Here is the CAPF certificate downloaded from the CUCM

capf_issued.PNGcapf_signed.PNG

If the CAPF is a signed subordinate certificate authority, could it not create a certificate chain for all of the certificate it issues to devices? What was the point in signing my CAPF certificate if it doesn't sign any certificates itself? Is there a configuration in the CUCM that would allow for this functionality? Am I missing the point of the CAPF? I recognize that using ACS or ISE would alleviate this EAP-TLS issue with Windows NPS, but is there a simpler solution than migrating all my AAA to a new service?

 

Thanks in advance. There may not be an easy fix for my use-case, but I'm looking forward to any insightful discussion.

 

-Sebastien

 

1 Accepted Solution

Accepted Solutions

Jonathan Schulenberg
Hall of Fame
Hall of Fame

Kudos on making it this far! Mixed mode and CAPF can be intimidating to learn.

 

CUCM 12.5 introduces a new Online CA mode for CAPF that should do exactly what you’re asking. It turns CAPF into a relay to ADCS instead of CA of it’s own. The phone’s CSR will be forwarded to the ADCS CA to be signed using the specified certificates template.

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/rel_notes/12_5_1/cucm_b_release-notes-cucm-imp-1251/cucm_b_release-notes-cucm-imp-1251_chapter_010.html#reference_BAC0DDC63B8795D884C3D8D1400C90A4

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/12_5_1/cucm_b_security-guide-1251/cucm_b_security-guide-1251_chapter_011110.html#task_33FB14EFB706D2989EAB3654A1618754

 

One word of caution: be careful to get the Key Usage and Extended Key Usages correct as well as validating that all URLs (eg AIA, CRL, OCSP) added by the CA are in HTTP URI format. This is not the default for ADCS and is often overlooked when setting it up. The Microsoft Press book Windows Server 2008 PKI and Certificate Security is still a great reference.

https://www.microsoftpressstore.com/store/windows-server-2008-pki-and-certificate-security-9780735640788

 

PS- CUCM 12.5 also introduces SIP OAuth support, currently only supported by Jabber and MRA-connected phones. I would highly suggest using OAuth for Jabber instead of CAPF since it eliminates the Windows credential roaming challenges you will have with LSCs. While OAuth tokens will likely come to IP Phones in the future - my assumption only, not a statement about Cisco’s roadmap - they are not expected to solve the 802.1x use case you appear to be exploring.

 

View solution in original post

10 Replies 10

Jonathan Schulenberg
Hall of Fame
Hall of Fame

Kudos on making it this far! Mixed mode and CAPF can be intimidating to learn.

 

CUCM 12.5 introduces a new Online CA mode for CAPF that should do exactly what you’re asking. It turns CAPF into a relay to ADCS instead of CA of it’s own. The phone’s CSR will be forwarded to the ADCS CA to be signed using the specified certificates template.

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/rel_notes/12_5_1/cucm_b_release-notes-cucm-imp-1251/cucm_b_release-notes-cucm-imp-1251_chapter_010.html#reference_BAC0DDC63B8795D884C3D8D1400C90A4

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/12_5_1/cucm_b_security-guide-1251/cucm_b_security-guide-1251_chapter_011110.html#task_33FB14EFB706D2989EAB3654A1618754

 

One word of caution: be careful to get the Key Usage and Extended Key Usages correct as well as validating that all URLs (eg AIA, CRL, OCSP) added by the CA are in HTTP URI format. This is not the default for ADCS and is often overlooked when setting it up. The Microsoft Press book Windows Server 2008 PKI and Certificate Security is still a great reference.

https://www.microsoftpressstore.com/store/windows-server-2008-pki-and-certificate-security-9780735640788

 

PS- CUCM 12.5 also introduces SIP OAuth support, currently only supported by Jabber and MRA-connected phones. I would highly suggest using OAuth for Jabber instead of CAPF since it eliminates the Windows credential roaming challenges you will have with LSCs. While OAuth tokens will likely come to IP Phones in the future - my assumption only, not a statement about Cisco’s roadmap - they are not expected to solve the 802.1x use case you appear to be exploring.

 

Wow! Thank you for the in-depth reply. I'm pleased to see enough other people were interested in this functionality for Cisco to implement it. It isn't the Subordinate CA that I had imagined, but it certainly fits in my setup. I also appreciate the additional information regarding the OAuth SIP support (big thanks for including the other references too).

I will attempt the upgrade this week and post the results.

Hi Jonathan,

sounds you are aware of the correct configuration of ADCS template for generating the phone certificates on the Microsoft CA.

We are actually in the beginning of implementing Cisco UC in our company. We want to use our Enterprise PKI as we will also use 801.x authentication on the phones. Therefore it is easier to use our own CA. 

Actually we are just getting the following messages in the capf log:

Enrollment rv = 22 (EST_ERR_AUTH_FAIL) with pkcs7 length = 0

est_client_enroll_csr () Failed! Could not obtain new certificate. Aborting.

Return value from enrollCertUsingEST () : 22

Do you have any idea which component may be misconfigured? We initially thought it is a bug in the software as we found a similar problem in a bug report. But we switched to a newer 12.5 release and still got this issue. 

Any help is really appreciated.

Best regards,

Tim

Off-hand guesses would be the authentication methods enabled on the IIS site/virtual folder, the username format (e.g. username vs. domain\username vs. username@domain.tld) and whether the service account CAPF is using to authenticate has permissions over that Certificate Template.

Good morning Jonathan,

i enabled the Windows Authentication on the IIS site and also tested the login with the domain created user ciscora from a computer connecting to our windows ca through iis website. 

The capf service account is the same user account ciscora. We gave full permission on our certificate template.

I do not have any idea why we are not getting certificates and can not find anything regarding the rv = 22 failure.

 

Hi!

 

Have you ever found out what was wrong? I have the same problem now. 

 

Thanks!

 

Kind regards!

 

Jens

Hi,

Same problem and error here.

Is there any recommendation for the certificate template (user vs machine, applications...), because permissions are correct.

The config guide here is a bit too generic : https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/214501-configure-automatic-certificate-enrollme.html#anc10

And the troubleshooting guide lacks of explanation: https://www.cisco.com/c/en/us/support/docs/security-vpn/certificate-authority-ca/214396-troubleshooting-capf-online-ca.html

 

Thanks

Oook I find out what was the issue, with the help of a killer Windows CA administrator.

It is clearly not mentionned on Cisco documentation.

When CAPF logs  shows the error Enrollment rv = 22 (EST_ERR_AUTH_FAIL) with pkcs7 length = 0, this is a template issue.

Test the service account on the webpage of the CA server (http://<CA IP>/certsrv), try to generate a new certificate and you must see the template.

If not, most of the time Tac will point permission issue, but that's wrong here.

In fact the CES service on the CUCM, that perform the cert enrollment, is acting exactly as the same way as it is browsing the web page of the CA. This info is in the troubleshooting documentation:

Capture1.PNGCapture2.PNG

 

However, what it's not said, it is the certificate template version.

In fact the CA web page only displays the template in version 2003, not the template in version 2008. The web page certificate enrollement on windws CA is the "old" way to do, so not that much developped (normally certs are now issued using the mmc console with rpc).

That's means the template to be used must be in version 2003 on the Windows CA.

But with this, that may not work for another reason: the template name.

In fact a template on WIndows CA has:

  • A Template Name
  • A Template Display Name.

These 2 names must match, otherwise it will fails.

Only with these requirements, it will work, and cert will enrolled imemdiatelly.

 

I was able to cross test almost all the scenario, and it was the only one working.

 

Hope that helps!

HARIS_HUSSAIN
VIP Alumni
VIP Alumni
Great Work !! Keep It UP.
As suggested 12.5 has a new feature of Using Online CA

*** Please rate helpful post; Mark "Accept as a Solution" if applicable

Thanks,
Haris