Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8095
Views
13
Helpful
6
Replies

CUCM Tomcat-ECDSA Certificate

Go to solution
rchaseling
Level 4
Level 4

‎03-07-2023 04:52 AM - edited ‎03-07-2023 04:53 AM

Hi,

Upgrading to Expressway 14.2 and I believe getting the CUCM Tomcat-ECDSA cert signed by our Internal CA is a pre-req.

I've created the CSR and got it signed by our CA but when I go to upload our CA Root/Issuing certs to the Tomcat-ECDSA Trust Store I get the attached error

The strange thing is CUCM lets me upload the actual Tomcat-ECDSA signed certificate - the certificate signed is not EC which brings me to 2 questions

1. Will we need to deploy a new PKI infrastructure that supports EC?

2. Assume uploading a Tomcat-ECDSA cert that doesn't support EC will cause problems?  (I went back to self signed during window)

Anyone have any feedback on signing the tomcat-ECDSA cert?

Thanks

rchaseling_0-1678193492099.png

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Nithin Eluvathingal
VIP
VIP

‎03-07-2023 05:11 AM - edited ‎03-07-2023 06:44 PM

Tomcat ecdsa is EC certificate. If you signed the certificate with the same ca who signed expressway csr you don’t need to upload anything to expressway trust store.

If your ca doesn’t support ec AFAIK it should through you some  error. 

As a work around You can disable this requirement  from cli using 

xConfiguration EdgeConfigServer VerifyOriginServer: Off
 

I hope this guide will help you https://www.cisco.com/c/en/us/support/docs/unified-communications/expressway/218018-troubleshoot-expressway-traffic-server-c.html



Response Signature


View solution in original post

Go to solution
Roger Kallberg
VIP
VIP

‎03-07-2023 10:16 PM

To add details to my previous response, this is the part of the release note that I referenced.

Cipher Preferences - ECDSA Cipher Preference Over RSA

ECDSA certificates are preferred over RSA.

RogerKallberg_0-1678255933249.gif

 


Important

The following points lists the various upgrade path(s) that are mandatory for upgrading ciphers.

  1. When upgrading from version lower than 14.0 to 14.2, the ECDSA would be preferred. If you prefer RSA certificates over ECDSA, then prefix the cipher string with "ECDHE-RSA-AES256-GCM-SHA384:" using either Web User Interface (Maintenance > Security > Ciphers) or CLI command (xConfiguration Ciphers).

  2. When upgrading from version equal or higher than 14.0 to 14.2 or higher version, you have appended "ECDHE-RSA-AES256-GCM-SHA384:" to the default Ciphers List to prefer RSA certificates over ECDSA. If you prefer ECDSA certificates over RSA, then remove "ECDHE-RSA-AES256-GCM-SHA384:" from the cipher string using Web User Interface (Maintenance > Security > Ciphers) or CLI command (xConfiguration Ciphers).

  3. Any customer has a fresh install X14.2 image, ECDSA is being preferred. If you prefer RSA certificates over ECDSA, then prefix the cipher string with “ECDHE-RSA-AES256-GCM-SHA384:” using either Web User Interface (Maintenance > Security > Ciphers) or CLI command (xConfiguration Ciphers).

And this is the cipher string that we ended up with having on all variants.

ECDHE-RSA-AES256-GCM-SHA384:EECDH:EDH:HIGH:-AES256+SHA:!MEDIUM:!LOW:!3DES:!MD5:!PSK:!eNULL:!aNULL:!aDH



Response Signature


View solution in original post

6 Replies 6

Go to solution
Nithin Eluvathingal
VIP
VIP

‎03-07-2023 05:11 AM - edited ‎03-07-2023 06:44 PM

Tomcat ecdsa is EC certificate. If you signed the certificate with the same ca who signed expressway csr you don’t need to upload anything to expressway trust store.

If your ca doesn’t support ec AFAIK it should through you some  error. 

As a work around You can disable this requirement  from cli using 

xConfiguration EdgeConfigServer VerifyOriginServer: Off
 

I hope this guide will help you https://www.cisco.com/c/en/us/support/docs/unified-communications/expressway/218018-troubleshoot-expressway-traffic-server-c.html



Response Signature


Go to solution
b.winter
VIP
VIP

‎03-07-2023 05:21 AM

You cannot sign a EC certificate with an RSA cert template.
For EC certificates, you need a different cert template in your CA. Check the documenation of your CA for that, as this has nothing to do with Cisco in the first place.

Go to solution
Roger Kallberg
VIP
VIP

‎03-07-2023 09:53 AM - edited ‎03-07-2023 09:53 AM

In the release notes for X14.2.5 there is a part where a change to the cipher configuration is outlined to favour use of RSA signed certificates. Making that change in configuration in the Expressways will let you forgo anything related to EC certificates. We did this on our MRA and also B2B Expressway infrastructure the past weeks and it’s working as a charm.



Response Signature


Go to solution
Roger Kallberg
VIP
VIP

‎03-07-2023 10:16 PM

To add details to my previous response, this is the part of the release note that I referenced.

Cipher Preferences - ECDSA Cipher Preference Over RSA

ECDSA certificates are preferred over RSA.

RogerKallberg_0-1678255933249.gif

 


Important

The following points lists the various upgrade path(s) that are mandatory for upgrading ciphers.

  1. When upgrading from version lower than 14.0 to 14.2, the ECDSA would be preferred. If you prefer RSA certificates over ECDSA, then prefix the cipher string with "ECDHE-RSA-AES256-GCM-SHA384:" using either Web User Interface (Maintenance > Security > Ciphers) or CLI command (xConfiguration Ciphers).

  2. When upgrading from version equal or higher than 14.0 to 14.2 or higher version, you have appended "ECDHE-RSA-AES256-GCM-SHA384:" to the default Ciphers List to prefer RSA certificates over ECDSA. If you prefer ECDSA certificates over RSA, then remove "ECDHE-RSA-AES256-GCM-SHA384:" from the cipher string using Web User Interface (Maintenance > Security > Ciphers) or CLI command (xConfiguration Ciphers).

  3. Any customer has a fresh install X14.2 image, ECDSA is being preferred. If you prefer RSA certificates over ECDSA, then prefix the cipher string with “ECDHE-RSA-AES256-GCM-SHA384:” using either Web User Interface (Maintenance > Security > Ciphers) or CLI command (xConfiguration Ciphers).

And this is the cipher string that we ended up with having on all variants.

ECDHE-RSA-AES256-GCM-SHA384:EECDH:EDH:HIGH:-AES256+SHA:!MEDIUM:!LOW:!3DES:!MD5:!PSK:!eNULL:!aNULL:!aDH



Response Signature


Go to solution
owenkd1959
Level 4
Level 4

‎02-24-2025 07:35 AM

I am a little behind and am getting ready to upgrade from x12.6.4 to x14.3.6 and the more I research the more questions I have. Call Manager, IM&Presence and Unity all connect through MRA. I have the Call Manager, Call Manage ECDSA, Tomcat & Tomcat ECDSA all CA signed. On IM&P & Unity the RSA certs are CA signed but the ECDSA are not. Will I need CA certs for the ECDSA on Unity and IM&P also? On IM&P do I need the cups edca? Do I need to upload the actual certificate for all of these or just my intermediate and root? All are signed by the same CA. 

0 Helpful

Go to solution
Roger Kallberg
VIP
VIP
In response to owenkd1959

‎02-24-2025 11:55 AM

From what I know there is no 14.3 release. It’s 14.0 with SU releases. You do not need to sign the EC certificates. These are used for internal communications. For information about the other certificates please see this document. Cisco UC Certificates Renewal Guide 



Response Signature


0 Helpful
Customers Also Viewed These Support Documents