cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5133
Views
11
Helpful
4
Replies

CUCM Tomcat-ECDSA Certificate

rchaseling
Level 4
Level 4

Hi,

Upgrading to Expressway 14.2 and I believe getting the CUCM Tomcat-ECDSA cert signed by our Internal CA is a pre-req.

I've created the CSR and got it signed by our CA but when I go to upload our CA Root/Issuing certs to the Tomcat-ECDSA Trust Store I get the attached error

The strange thing is CUCM lets me upload the actual Tomcat-ECDSA signed certificate - the certificate signed is not EC which brings me to 2 questions

1. Will we need to deploy a new PKI infrastructure that supports EC?

2. Assume uploading a Tomcat-ECDSA cert that doesn't support EC will cause problems?  (I went back to self signed during window)

Anyone have any feedback on signing the tomcat-ECDSA cert?

Thanks

rchaseling_0-1678193492099.png

 

2 Accepted Solutions

Accepted Solutions

Tomcat ecdsa is EC certificate. If you signed the certificate with the same ca who signed expressway csr you don’t need to upload anything to expressway trust store.

If your ca doesn’t support ec AFAIK it should through you some  error. 

As a work around You can disable this requirement  from cli using 

xConfiguration EdgeConfigServer VerifyOriginServer: Off
 

I hope this guide will help you https://www.cisco.com/c/en/us/support/docs/unified-communications/expressway/218018-troubleshoot-expressway-traffic-server-c.html



Response Signature


View solution in original post

To add details to my previous response, this is the part of the release note that I referenced.

Cipher Preferences - ECDSA Cipher Preference Over RSA

ECDSA certificates are preferred over RSA.

RogerKallberg_0-1678255933249.gif

 


Important

The following points lists the various upgrade path(s) that are mandatory for upgrading ciphers.

  1. When upgrading from version lower than 14.0 to 14.2, the ECDSA would be preferred. If you prefer RSA certificates over ECDSA, then prefix the cipher string with "ECDHE-RSA-AES256-GCM-SHA384:" using either Web User Interface (Maintenance > Security > Ciphers) or CLI command (xConfiguration Ciphers).

  2. When upgrading from version equal or higher than 14.0 to 14.2 or higher version, you have appended "ECDHE-RSA-AES256-GCM-SHA384:" to the default Ciphers List to prefer RSA certificates over ECDSA. If you prefer ECDSA certificates over RSA, then remove "ECDHE-RSA-AES256-GCM-SHA384:" from the cipher string using Web User Interface (Maintenance > Security > Ciphers) or CLI command (xConfiguration Ciphers).

  3. Any customer has a fresh install X14.2 image, ECDSA is being preferred. If you prefer RSA certificates over ECDSA, then prefix the cipher string with “ECDHE-RSA-AES256-GCM-SHA384:” using either Web User Interface (Maintenance > Security > Ciphers) or CLI command (xConfiguration Ciphers).


And this is the cipher string that we ended up with having on all variants.

ECDHE-RSA-AES256-GCM-SHA384:EECDH:EDH:HIGH:-AES256+SHA:!MEDIUM:!LOW:!3DES:!MD5:!PSK:!eNULL:!aNULL:!aDH



Response Signature


View solution in original post

4 Replies 4

Tomcat ecdsa is EC certificate. If you signed the certificate with the same ca who signed expressway csr you don’t need to upload anything to expressway trust store.

If your ca doesn’t support ec AFAIK it should through you some  error. 

As a work around You can disable this requirement  from cli using 

xConfiguration EdgeConfigServer VerifyOriginServer: Off
 

I hope this guide will help you https://www.cisco.com/c/en/us/support/docs/unified-communications/expressway/218018-troubleshoot-expressway-traffic-server-c.html



Response Signature


b.winter
VIP
VIP

You cannot sign a EC certificate with an RSA cert template.
For EC certificates, you need a different cert template in your CA. Check the documenation of your CA for that, as this has nothing to do with Cisco in the first place.

In the release notes for X14.2.5 there is a part where a change to the cipher configuration is outlined to favour use of RSA signed certificates. Making that change in configuration in the Expressways will let you forgo anything related to EC certificates. We did this on our MRA and also B2B Expressway infrastructure the past weeks and it’s working as a charm.



Response Signature


To add details to my previous response, this is the part of the release note that I referenced.

Cipher Preferences - ECDSA Cipher Preference Over RSA

ECDSA certificates are preferred over RSA.

RogerKallberg_0-1678255933249.gif

 


Important

The following points lists the various upgrade path(s) that are mandatory for upgrading ciphers.

  1. When upgrading from version lower than 14.0 to 14.2, the ECDSA would be preferred. If you prefer RSA certificates over ECDSA, then prefix the cipher string with "ECDHE-RSA-AES256-GCM-SHA384:" using either Web User Interface (Maintenance > Security > Ciphers) or CLI command (xConfiguration Ciphers).

  2. When upgrading from version equal or higher than 14.0 to 14.2 or higher version, you have appended "ECDHE-RSA-AES256-GCM-SHA384:" to the default Ciphers List to prefer RSA certificates over ECDSA. If you prefer ECDSA certificates over RSA, then remove "ECDHE-RSA-AES256-GCM-SHA384:" from the cipher string using Web User Interface (Maintenance > Security > Ciphers) or CLI command (xConfiguration Ciphers).

  3. Any customer has a fresh install X14.2 image, ECDSA is being preferred. If you prefer RSA certificates over ECDSA, then prefix the cipher string with “ECDHE-RSA-AES256-GCM-SHA384:” using either Web User Interface (Maintenance > Security > Ciphers) or CLI command (xConfiguration Ciphers).


And this is the cipher string that we ended up with having on all variants.

ECDHE-RSA-AES256-GCM-SHA384:EECDH:EDH:HIGH:-AES256+SHA:!MEDIUM:!LOW:!3DES:!MD5:!PSK:!eNULL:!aNULL:!aDH



Response Signature