Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1471
Views
0
Helpful
8
Replies

IM&P cup-xmpp certificate/CSR - Change extended key usage

Go to solution
corneliss
Level 1
Level 1

‎09-16-2019 09:51 PM

Hi All,

 

I need some assistance with creating a new xmpp CSR on the CIsco IM&P Server.

II generated a new CSR that included all the correct Domains. When I forwarded my CSR to our internal PKI Team. My request was denied as we are only allowed two Extended Key Usage.

 

I will need to remove ipsecEndSystem before they will be able to sign my internal signed Cert. 

 

Is there any possible way to do this? As the settings when generating a new CSR is very limited. 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
corneliss
Level 1
Level 1
In response to Jaime Valencia

‎10-16-2019 10:17 PM

We will be working with our internal CA to create a template that will support 3 key usage but at this stage we had to move back to self signed Certs in order for to complete the Project. 

 

Thanks for the inputs from your side. We also had a Tac Open to confirm the theory that this cannot be changed to send this as prove to our Global Team.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Jaime Valencia
Cisco Employee
Cisco Employee

‎09-17-2019 07:45 AM

No, you cannot, what you see is what you get in the generate CSR options.

You'll have to explain them that the CSR comes with what the system needs and the system might not work properly if they choose to change them.

HTH

java

if this helps, please rate
0 Helpful

Go to solution
corneliss
Level 1
Level 1
In response to Jaime Valencia

‎09-17-2019 08:04 AM

Hi Jaime,

 

Thanks for responding, huge fan btw.

 

 

This is the response I received from our internal Team. 

 

"

As discussed, please note that in any certificate request Extended Key Usage, we can only provide Server Authentication and Client Authentication. Except these two, we cannot issue any certificates with any other Extended Key Usage parameter. 
 
So we regret to inform you that we cannot issue certificate from neither Internal SSL CA or Entrust for the mentioned Extended Key Usage parameter."
 
"Please note that we regret to inform you that we cannot provide any SSL certificate from our end CA as we cannot modify the Extended Key Usage of the same. "
 
I tried to explain but they keep coming back with the same response, please also see attached snippet.
 
Preview file
14 KB
0 Helpful

Go to solution
Jaime Valencia
Cisco Employee
Cisco Employee
In response to corneliss

‎09-17-2019 12:02 PM

I'd download the self-signed certificate, and send it to them, tell them that's what the system is running on right now and what's needed, which should be the same the CSR asks for.

HTH

java

if this helps, please rate
0 Helpful

Go to solution
corneliss
Level 1
Level 1
In response to Jaime Valencia

‎10-16-2019 10:17 PM

We will be working with our internal CA to create a template that will support 3 key usage but at this stage we had to move back to self signed Certs in order for to complete the Project. 

 

Thanks for the inputs from your side. We also had a Tac Open to confirm the theory that this cannot be changed to send this as prove to our Global Team.

0 Helpful

Go to solution
JFerello
Level 1
Level 1

‎09-17-2019 08:45 AM

Judging by the response to this similar issue, I would say you are out of luck :(
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd91798/?rfs=iqvred
Thanks,
Justin Ferello
0 Helpful

Go to solution
corneliss
Level 1
Level 1
In response to JFerello

‎09-17-2019 09:55 AM

Hi Justin,

 

From the Link I can pick up that Tomcat does not need Ipsec, I need confirmation from Cisco that IpSec is no needed for XMPP as well.

 

Then I will be able to generate a cert from a CMS Server and add all the necessary info and send it off to my PKI Team.

0 Helpful

Go to solution
JFerello
Level 1
Level 1
In response to corneliss

‎09-17-2019 10:37 AM

How would that work? You cannot upload a private key in UCOS.
Thanks,
Justin Ferello
0 Helpful

Go to solution
corneliss
Level 1
Level 1
In response to JFerello

‎09-17-2019 10:52 AM

Just trying al avenues as this issue is holding back multiple Projects as we are not able to add more domains to allow users from other Countries to use Jabber.

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents