Buy or Renew
Buy or Renew
WebexOne 2023 | October 24-26 in Anaheim, CA Technical training and labs. Save 50% with code: WX1TRAIN50
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1041
Views
8
Helpful
4
Replies

CUCM Tomcat-ECDSA Certificate

Go to solution
rchaseling
Enthusiast
Enthusiast

‎03-07-2023 04:52 AM - edited ‎03-07-2023 04:53 AM

Hi,

Upgrading to Expressway 14.2 and I believe getting the CUCM Tomcat-ECDSA cert signed by our Internal CA is a pre-req.

I've created the CSR and got it signed by our CA but when I go to upload our CA Root/Issuing certs to the Tomcat-ECDSA Trust Store I get the attached error

The strange thing is CUCM lets me upload the actual Tomcat-ECDSA signed certificate - the certificate signed is not EC which brings me to 2 questions

1. Will we need to deploy a new PKI infrastructure that supports EC?

2. Assume uploading a Tomcat-ECDSA cert that doesn't support EC will cause problems?  (I went back to self signed during window)

Anyone have any feedback on signing the tomcat-ECDSA cert?

Thanks

rchaseling_0-1678193492099.png

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Nithin Eluvathingal
VIP Mentor VIP Mentor
VIP Mentor

‎03-07-2023 05:11 AM - edited ‎03-07-2023 06:44 PM

Tomcat ecdsa is EC certificate. If you signed the certificate with the same ca who signed expressway csr you don’t need to upload anything to expressway trust store.

If your ca doesn’t support ec AFAIK it should through you some  error. 

As a work around You can disable this requirement  from cli using 

xConfiguration EdgeConfigServer VerifyOriginServer: Off
 

I hope this guide will help you https://www.cisco.com/c/en/us/support/docs/unified-communications/expressway/218018-troubleshoot-expressway-traffic-server-c.html



Response Signature


View solution in original post

Go to solution
Roger Kallberg
VIP Expert VIP Expert
VIP Expert

‎03-07-2023 10:16 PM

To add details to my previous response, this is the part of the release note that I referenced.

Cipher Preferences - ECDSA Cipher Preference Over RSA

ECDSA certificates are preferred over RSA.

RogerKallberg_0-1678255933249.gif

 


Important

The following points lists the various upgrade path(s) that are mandatory for upgrading ciphers.

  1. When upgrading from version lower than 14.0 to 14.2, the ECDSA would be preferred. If you prefer RSA certificates over ECDSA, then prefix the cipher string with "ECDHE-RSA-AES256-GCM-SHA384:" using either Web User Interface (Maintenance > Security > Ciphers) or CLI command (xConfiguration Ciphers).

  2. When upgrading from version equal or higher than 14.0 to 14.2 or higher version, you have appended "ECDHE-RSA-AES256-GCM-SHA384:" to the default Ciphers List to prefer RSA certificates over ECDSA. If you prefer ECDSA certificates over RSA, then remove "ECDHE-RSA-AES256-GCM-SHA384:" from the cipher string using Web User Interface (Maintenance > Security > Ciphers) or CLI command (xConfiguration Ciphers).

  3. Any customer has a fresh install X14.2 image, ECDSA is being preferred. If you prefer RSA certificates over ECDSA, then prefix the cipher string with “ECDHE-RSA-AES256-GCM-SHA384:” using either Web User Interface (Maintenance > Security > Ciphers) or CLI command (xConfiguration Ciphers).

And this is the cipher string that we ended up with having on all variants.

ECDHE-RSA-AES256-GCM-SHA384:EECDH:EDH:HIGH:-AES256+SHA:!MEDIUM:!LOW:!3DES:!MD5:!PSK:!eNULL:!aNULL:!aDH



Response Signature


View solution in original post

4 Replies 4

Go to solution
Nithin Eluvathingal
VIP Mentor VIP Mentor
VIP Mentor

‎03-07-2023 05:11 AM - edited ‎03-07-2023 06:44 PM

Tomcat ecdsa is EC certificate. If you signed the certificate with the same ca who signed expressway csr you don’t need to upload anything to expressway trust store.

If your ca doesn’t support ec AFAIK it should through you some  error. 

As a work around You can disable this requirement  from cli using 

xConfiguration EdgeConfigServer VerifyOriginServer: Off
 

I hope this guide will help you https://www.cisco.com/c/en/us/support/docs/unified-communications/expressway/218018-troubleshoot-expressway-traffic-server-c.html



Response Signature


Go to solution
b.winter
VIP Advisor VIP Advisor
VIP Advisor

‎03-07-2023 05:21 AM

You cannot sign a EC certificate with an RSA cert template.
For EC certificates, you need a different cert template in your CA. Check the documenation of your CA for that, as this has nothing to do with Cisco in the first place.

Go to solution
Roger Kallberg
VIP Expert VIP Expert
VIP Expert

‎03-07-2023 09:53 AM - edited ‎03-07-2023 09:53 AM

In the release notes for X14.2.5 there is a part where a change to the cipher configuration is outlined to favour use of RSA signed certificates. Making that change in configuration in the Expressways will let you forgo anything related to EC certificates. We did this on our MRA and also B2B Expressway infrastructure the past weeks and it’s working as a charm.



Response Signature


Go to solution
Roger Kallberg
VIP Expert VIP Expert
VIP Expert

‎03-07-2023 10:16 PM

To add details to my previous response, this is the part of the release note that I referenced.

Cipher Preferences - ECDSA Cipher Preference Over RSA

ECDSA certificates are preferred over RSA.

RogerKallberg_0-1678255933249.gif

 


Important

The following points lists the various upgrade path(s) that are mandatory for upgrading ciphers.

  1. When upgrading from version lower than 14.0 to 14.2, the ECDSA would be preferred. If you prefer RSA certificates over ECDSA, then prefix the cipher string with "ECDHE-RSA-AES256-GCM-SHA384:" using either Web User Interface (Maintenance > Security > Ciphers) or CLI command (xConfiguration Ciphers).

  2. When upgrading from version equal or higher than 14.0 to 14.2 or higher version, you have appended "ECDHE-RSA-AES256-GCM-SHA384:" to the default Ciphers List to prefer RSA certificates over ECDSA. If you prefer ECDSA certificates over RSA, then remove "ECDHE-RSA-AES256-GCM-SHA384:" from the cipher string using Web User Interface (Maintenance > Security > Ciphers) or CLI command (xConfiguration Ciphers).

  3. Any customer has a fresh install X14.2 image, ECDSA is being preferred. If you prefer RSA certificates over ECDSA, then prefix the cipher string with “ECDHE-RSA-AES256-GCM-SHA384:” using either Web User Interface (Maintenance > Security > Ciphers) or CLI command (xConfiguration Ciphers).

And this is the cipher string that we ended up with having on all variants.

ECDHE-RSA-AES256-GCM-SHA384:EECDH:EDH:HIGH:-AES256+SHA:!MEDIUM:!LOW:!3DES:!MD5:!PSK:!eNULL:!aNULL:!aDH



Response Signature


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents