03-07-2023 04:52 AM - edited 03-07-2023 04:53 AM
Hi,
Upgrading to Expressway 14.2 and I believe getting the CUCM Tomcat-ECDSA cert signed by our Internal CA is a pre-req.
I've created the CSR and got it signed by our CA but when I go to upload our CA Root/Issuing certs to the Tomcat-ECDSA Trust Store I get the attached error
The strange thing is CUCM lets me upload the actual Tomcat-ECDSA signed certificate - the certificate signed is not EC which brings me to 2 questions
1. Will we need to deploy a new PKI infrastructure that supports EC?
2. Assume uploading a Tomcat-ECDSA cert that doesn't support EC will cause problems? (I went back to self signed during window)
Anyone have any feedback on signing the tomcat-ECDSA cert?
Thanks
Solved! Go to Solution.
03-07-2023 05:11 AM - edited 03-07-2023 06:44 PM
Tomcat ecdsa is EC certificate. If you signed the certificate with the same ca who signed expressway csr you don’t need to upload anything to expressway trust store.
If your ca doesn’t support ec AFAIK it should through you some error.
As a work around You can disable this requirement from cli using
xConfiguration EdgeConfigServer VerifyOriginServer: Off
I hope this guide will help you https://www.cisco.com/c/en/us/support/docs/unified-communications/expressway/218018-troubleshoot-expressway-traffic-server-c.html
03-07-2023 10:16 PM
To add details to my previous response, this is the part of the release note that I referenced.
ECDSA certificates are preferred over RSA.
Important |
The following points lists the various upgrade path(s) that are mandatory for upgrading ciphers.
|
And this is the cipher string that we ended up with having on all variants.
ECDHE-RSA-AES256-GCM-SHA384:EECDH:EDH:HIGH:-AES256+SHA:!MEDIUM:!LOW:!3DES:!MD5:!PSK:!eNULL:!aNULL:!aDH
03-07-2023 05:11 AM - edited 03-07-2023 06:44 PM
Tomcat ecdsa is EC certificate. If you signed the certificate with the same ca who signed expressway csr you don’t need to upload anything to expressway trust store.
If your ca doesn’t support ec AFAIK it should through you some error.
As a work around You can disable this requirement from cli using
xConfiguration EdgeConfigServer VerifyOriginServer: Off
I hope this guide will help you https://www.cisco.com/c/en/us/support/docs/unified-communications/expressway/218018-troubleshoot-expressway-traffic-server-c.html
03-07-2023 05:21 AM
You cannot sign a EC certificate with an RSA cert template.
For EC certificates, you need a different cert template in your CA. Check the documenation of your CA for that, as this has nothing to do with Cisco in the first place.
03-07-2023 09:53 AM - edited 03-07-2023 09:53 AM
In the release notes for X14.2.5 there is a part where a change to the cipher configuration is outlined to favour use of RSA signed certificates. Making that change in configuration in the Expressways will let you forgo anything related to EC certificates. We did this on our MRA and also B2B Expressway infrastructure the past weeks and it’s working as a charm.
03-07-2023 10:16 PM
To add details to my previous response, this is the part of the release note that I referenced.
ECDSA certificates are preferred over RSA.
Important |
The following points lists the various upgrade path(s) that are mandatory for upgrading ciphers.
|
And this is the cipher string that we ended up with having on all variants.
ECDHE-RSA-AES256-GCM-SHA384:EECDH:EDH:HIGH:-AES256+SHA:!MEDIUM:!LOW:!3DES:!MD5:!PSK:!eNULL:!aNULL:!aDH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide