03-03-2023 08:18 AM
Hi,
We have a Callmanager/Unity 12.5 and are signing the Tomcat and Callmanager certificates & Unity Tomcat. In the CSR request we only get the options for SHA256 (or SHA 1).
The companies CA only supports SHA384 and nothing lower. I'd be a bit nervous in using these
Anyone had any experience uploading certs using SHA384 signature to CUCM 12.5?
Cheers
Solved! Go to Solution.
03-03-2023 11:54 AM
Per this document it supports longer hash keys than 256. Security Guide for Cisco Unified Communications Manager, Release 12.5(1)SU3
Key Length |
From the Key Length drop-down box, select one of the values. Depending on the key length, the CSR request limits the hash algorithm choices. By having the limited hash algorithm choices, you can use a hash algorithm strength that is greater than or equal to the key length strength. For example, for a key length of 256, the supported hash algorithms are SHA256, SHA384, or SHA512. Similarly, for the key length of 384, the supported hash algorithms are SHA384 or SHA512.
|
||||
Hash Algorithm |
Select a value from the Hash Algorithm drop-down box to have stronger hash algorithm as the elliptical curve key length. From the Hash Algorithm drop-down box, select one of the values.
|
03-03-2023 11:54 AM
Per this document it supports longer hash keys than 256. Security Guide for Cisco Unified Communications Manager, Release 12.5(1)SU3
Key Length |
From the Key Length drop-down box, select one of the values. Depending on the key length, the CSR request limits the hash algorithm choices. By having the limited hash algorithm choices, you can use a hash algorithm strength that is greater than or equal to the key length strength. For example, for a key length of 256, the supported hash algorithms are SHA256, SHA384, or SHA512. Similarly, for the key length of 384, the supported hash algorithms are SHA384 or SHA512.
|
||||
Hash Algorithm |
Select a value from the Hash Algorithm drop-down box to have stronger hash algorithm as the elliptical curve key length. From the Hash Algorithm drop-down box, select one of the values.
|
03-06-2023 01:31 AM
Excellent. Thanks for that! Much appreciated
03-04-2023 05:09 PM
Tomcat and callmanger use key type RSA type certificate which gives only option SHa1 and Sha256 . Tomcat ECDSA if you change the key length you get the option to change the Sha greater than 256.
I believe Sha256 is the maximum hash algorithm available for Tomcat and cal manager. The below is the screenshot from My CUCM 14
03-30-2023 11:56 AM
Same issue here. Can anyone confirm if Tomcat-ECDSA can serve as a standard Tomcat cert as well, or are both required? CA is stating they no longer support SHA256, and that appears to be all that standard Tomcat certs can use, even in CUCM V14.
03-30-2023 09:23 PM
Don't confuse ECDSA with the SHA algorithm. You can have a cert with SHA384 or SH512 and not be ECDSA. I now have CUCM 12 certs all signed with SHA384 with no issues. I didn't sign the Tomcat ECDSA in the end
03-31-2023 06:06 AM
I appreciate the reply! It looks like the only options on the Tomcat CSR are SHA 1 or 256...are you saying that you can use SHA384 certs, even with the CSR generated with 256, or is there another change required to make that work? Seems like CUCM would reject that due to mismatch, but maybe not...? Thanks again!
04-25-2023 12:21 PM
Just wanted to follow up on this and hopefully confirm. Did you generate the CSR with 256 (since that's the highest option for standard tomcat) and then apply the cert signed with 384? Want to be sure I'm understanding that, as I was told by TAC that they have to be 256...
04-25-2023 01:13 PM
Yes generated as 256 but CA signed them as 384 and all good. As per above
"For example, for a key length of 256, the supported hash algorithms are SHA256, SHA384, or SHA512. Similarly, for the key length of 384, the supported hash algorithms are SHA384 or SHA512"
04-25-2023 01:56 PM
I appreciate your reply, but it looks like that information is for ECDSA. I see where the options change based on the key length for those, but standard tomcat allows minimum 1024 key length and only SHA1 or 256 regardless of the key length chosen. When you say you generated them as 256, I'm assuming that was the hash algorithm, not the key length, correct, or am I missing something? Thanks again
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide