03-07-2023 04:52 AM - edited 03-07-2023 04:53 AM
Hi,
Upgrading to Expressway 14.2 and I believe getting the CUCM Tomcat-ECDSA cert signed by our Internal CA is a pre-req.
I've created the CSR and got it signed by our CA but when I go to upload our CA Root/Issuing certs to the Tomcat-ECDSA Trust Store I get the attached error
The strange thing is CUCM lets me upload the actual Tomcat-ECDSA signed certificate - the certificate signed is not EC which brings me to 2 questions
1. Will we need to deploy a new PKI infrastructure that supports EC?
2. Assume uploading a Tomcat-ECDSA cert that doesn't support EC will cause problems? (I went back to self signed during window)
Anyone have any feedback on signing the tomcat-ECDSA cert?
Thanks
Solved! Go to Solution.
03-07-2023 05:11 AM - edited 03-07-2023 06:44 PM
Tomcat ecdsa is EC certificate. If you signed the certificate with the same ca who signed expressway csr you don’t need to upload anything to expressway trust store.
If your ca doesn’t support ec AFAIK it should through you some error.
As a work around You can disable this requirement from cli using
xConfiguration EdgeConfigServer VerifyOriginServer: Off
I hope this guide will help you https://www.cisco.com/c/en/us/support/docs/unified-communications/expressway/218018-troubleshoot-expressway-traffic-server-c.html
03-07-2023 10:16 PM
To add details to my previous response, this is the part of the release note that I referenced.
ECDSA certificates are preferred over RSA.
Important |
The following points lists the various upgrade path(s) that are mandatory for upgrading ciphers.
|
And this is the cipher string that we ended up with having on all variants.
ECDHE-RSA-AES256-GCM-SHA384:EECDH:EDH:HIGH:-AES256+SHA:!MEDIUM:!LOW:!3DES:!MD5:!PSK:!eNULL:!aNULL:!aDH
03-07-2023 05:11 AM - edited 03-07-2023 06:44 PM
Tomcat ecdsa is EC certificate. If you signed the certificate with the same ca who signed expressway csr you don’t need to upload anything to expressway trust store.
If your ca doesn’t support ec AFAIK it should through you some error.
As a work around You can disable this requirement from cli using
xConfiguration EdgeConfigServer VerifyOriginServer: Off
I hope this guide will help you https://www.cisco.com/c/en/us/support/docs/unified-communications/expressway/218018-troubleshoot-expressway-traffic-server-c.html
03-07-2023 05:21 AM
You cannot sign a EC certificate with an RSA cert template.
For EC certificates, you need a different cert template in your CA. Check the documenation of your CA for that, as this has nothing to do with Cisco in the first place.
03-07-2023 09:53 AM - edited 03-07-2023 09:53 AM
In the release notes for X14.2.5 there is a part where a change to the cipher configuration is outlined to favour use of RSA signed certificates. Making that change in configuration in the Expressways will let you forgo anything related to EC certificates. We did this on our MRA and also B2B Expressway infrastructure the past weeks and it’s working as a charm.
03-07-2023 10:16 PM
To add details to my previous response, this is the part of the release note that I referenced.
ECDSA certificates are preferred over RSA.
Important |
The following points lists the various upgrade path(s) that are mandatory for upgrading ciphers.
|
And this is the cipher string that we ended up with having on all variants.
ECDHE-RSA-AES256-GCM-SHA384:EECDH:EDH:HIGH:-AES256+SHA:!MEDIUM:!LOW:!3DES:!MD5:!PSK:!eNULL:!aNULL:!aDH
02-24-2025 07:35 AM
I am a little behind and am getting ready to upgrade from x12.6.4 to x14.3.6 and the more I research the more questions I have. Call Manager, IM&Presence and Unity all connect through MRA. I have the Call Manager, Call Manage ECDSA, Tomcat & Tomcat ECDSA all CA signed. On IM&P & Unity the RSA certs are CA signed but the ECDSA are not. Will I need CA certs for the ECDSA on Unity and IM&P also? On IM&P do I need the cups edca? Do I need to upload the actual certificate for all of these or just my intermediate and root? All are signed by the same CA.
02-24-2025 11:55 AM
From what I know there is no 14.3 release. It’s 14.0 with SU releases. You do not need to sign the EC certificates. These are used for internal communications. For information about the other certificates please see this document. Cisco UC Certificates Renewal Guide
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide