Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1602
Views
0
Helpful
9
Replies

CUCM 12.5 Certificate SHA384 Support

Go to solution
rchaseling
Level 4
Level 4

‎03-03-2023 08:18 AM

Hi,

We have a Callmanager/Unity 12.5 and are signing the Tomcat and Callmanager certificates & Unity Tomcat. In the CSR request we only get the options for SHA256  (or SHA 1).

The companies CA only supports SHA384 and nothing lower. I'd be a bit nervous in using these

Anyone had any experience uploading certs using SHA384 signature to CUCM 12.5?

Cheers

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Roger Kallberg
VIP
VIP

‎03-03-2023 11:54 AM

Per this document it supports longer hash keys than 256. Security Guide for Cisco Unified Communications Manager, Release 12.5(1)SU3 

Key Length

From the Key Length drop-down box, select one of the values.

Depending on the key length, the CSR request limits the hash algorithm choices. By having the limited hash algorithm choices, you can use a hash algorithm strength that is greater than or equal to the key length strength. For example, for a key length of 256, the supported hash algorithms are SHA256, SHA384, or SHA512. Similarly, for the key length of 384, the supported hash algorithms are SHA384 or SHA512.

Note 

Certificates with a key length value of 3072 or 4096 can only be selected for RSA certificates. These options are not available for ECDSA certificates.
Note 

Some phone models may fail to register if the RSA key length selected for the CallManager Certificate Purpose is greater than 2048. From the Unified CM Phone Feature List Report on the Cisco Unified Reporting Tool (CURT), you can check the 3072/4096 RSA key size support feature for the list of supported phone models.

Hash Algorithm

Select a value from the Hash Algorithm drop-down box to have stronger hash algorithm as the elliptical curve key length. From the Hash Algorithm drop-down box, select one of the values.

Note 

  • The values for the Hash Algorithm field change based on the value you select in the Key Length field.

  • If your system is running on FIPS mode, it is mandatory that you select SHA256 as the hashing algorithm.


Response Signature


View solution in original post

0 Helpful
9 Replies 9

Go to solution
Roger Kallberg
VIP
VIP

‎03-03-2023 11:54 AM

Per this document it supports longer hash keys than 256. Security Guide for Cisco Unified Communications Manager, Release 12.5(1)SU3 

Key Length

From the Key Length drop-down box, select one of the values.

Depending on the key length, the CSR request limits the hash algorithm choices. By having the limited hash algorithm choices, you can use a hash algorithm strength that is greater than or equal to the key length strength. For example, for a key length of 256, the supported hash algorithms are SHA256, SHA384, or SHA512. Similarly, for the key length of 384, the supported hash algorithms are SHA384 or SHA512.

Note 

Certificates with a key length value of 3072 or 4096 can only be selected for RSA certificates. These options are not available for ECDSA certificates.
Note 

Some phone models may fail to register if the RSA key length selected for the CallManager Certificate Purpose is greater than 2048. From the Unified CM Phone Feature List Report on the Cisco Unified Reporting Tool (CURT), you can check the 3072/4096 RSA key size support feature for the list of supported phone models.

Hash Algorithm

Select a value from the Hash Algorithm drop-down box to have stronger hash algorithm as the elliptical curve key length. From the Hash Algorithm drop-down box, select one of the values.

Note 

  • The values for the Hash Algorithm field change based on the value you select in the Key Length field.

  • If your system is running on FIPS mode, it is mandatory that you select SHA256 as the hashing algorithm.


Response Signature


0 Helpful

Go to solution
rchaseling
Level 4
Level 4
In response to Roger Kallberg

‎03-06-2023 01:31 AM

Excellent. Thanks for that! Much appreciated

0 Helpful

Go to solution
Nithin Eluvathingal
VIP
VIP

‎03-04-2023 05:09 PM

Tomcat and callmanger use key type RSA type certificate which gives only option SHa1 and Sha256 . Tomcat ECDSA if you change the key length you get the option to change the Sha greater than 256.

I believe Sha256 is the maximum hash algorithm available for Tomcat and cal manager. The below is the screenshot from My CUCM 14

NithinEluvathingal_0-1677978545186.png

 



Response Signature


0 Helpful

Go to solution
punchy
Level 1
Level 1

‎03-30-2023 11:56 AM

Same issue here.  Can anyone confirm if Tomcat-ECDSA can serve as a standard Tomcat cert as well, or are both required?  CA is stating they no longer support SHA256, and that appears to be all that standard Tomcat certs can use, even in CUCM V14.

0 Helpful

Go to solution
rchaseling
Level 4
Level 4
In response to punchy

‎03-30-2023 09:23 PM

Don't confuse ECDSA with the SHA algorithm. You can have a cert with SHA384 or SH512 and not be ECDSA. I now have CUCM 12 certs all signed with SHA384 with no issues. I didn't sign the Tomcat ECDSA in the end

0 Helpful

Go to solution
punchy
Level 1
Level 1
In response to rchaseling

‎03-31-2023 06:06 AM

I appreciate the reply!  It looks like the only options on the Tomcat CSR are SHA 1 or 256...are you saying that you can use SHA384 certs, even with the CSR generated with 256, or is there another change required to make that work?  Seems like CUCM would reject that due to mismatch, but maybe not...? Thanks again!

0 Helpful

Go to solution
punchy
Level 1
Level 1
In response to rchaseling

‎04-25-2023 12:21 PM

Just wanted to follow up on this and hopefully confirm.  Did you generate the CSR with 256 (since that's the highest option for standard tomcat) and then apply the cert signed with 384?  Want to be sure I'm understanding that, as I was told by TAC that they have to be 256...

0 Helpful

Go to solution
rchaseling
Level 4
Level 4
In response to punchy

‎04-25-2023 01:13 PM

Yes generated as 256 but CA signed them as 384 and all good. As per above

"For example, for a key length of 256, the supported hash algorithms are SHA256, SHA384, or SHA512. Similarly, for the key length of 384, the supported hash algorithms are SHA384 or SHA512"

 

0 Helpful

Go to solution
punchy
Level 1
Level 1
In response to rchaseling

‎04-25-2023 01:56 PM

I appreciate your reply, but it looks like that information is for ECDSA.  I see where the options change based on the key length for those, but standard tomcat allows minimum 1024 key length and only SHA1 or 256 regardless of the key length chosen.  When you say you generated them as 256, I'm assuming that was the hash algorithm, not the key length, correct, or am I missing something?  Thanks again

0 Helpful
Customers Also Viewed These Support Documents