cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

AMA-CUCM Troubleshooting: Best Practices for Reading Trace Files

170
Views
0
Helpful
7
Replies
Beginner

IM&P cup-xmpp certificate/CSR - Change extended key usage

Hi All,

 

I need some assistance with creating a new xmpp CSR on the CIsco IM&P Server.

II generated a new CSR that included all the correct Domains. When I forwarded my CSR to our internal PKI Team. My request was denied as we are only allowed two Extended Key Usage.

 

I will need to remove ipsecEndSystem before they will be able to sign my internal signed Cert. 

 

Is there any possible way to do this? As the settings when generating a new CSR is very limited. 

 

7 REPLIES 7
Hall of Fame Cisco Employee

Re: IM&P cup-xmpp certificate/CSR - Change extended key usage

No, you cannot, what you see is what you get in the generate CSR options.

You'll have to explain them that the CSR comes with what the system needs and the system might not work properly if they choose to change them.

HTH

java

if this helps, please rate
Beginner

Re: IM&P cup-xmpp certificate/CSR - Change extended key usage

Hi Jaime,

 

Thanks for responding, huge fan btw.

 

 

This is the response I received from our internal Team. 

 

"

As discussed, please note that in any certificate request Extended Key Usage, we can only provide Server Authentication and Client Authentication. Except these two, we cannot issue any certificates with any other Extended Key Usage parameter. 
 
So we regret to inform you that we cannot issue certificate from neither Internal SSL CA or Entrust for the mentioned Extended Key Usage parameter."
 
"Please note that we regret to inform you that we cannot provide any SSL certificate from our end CA as we cannot modify the Extended Key Usage of the same. "
 
I tried to explain but they keep coming back with the same response, please also see attached snippet.
 
Hall of Fame Cisco Employee

Re: IM&P cup-xmpp certificate/CSR - Change extended key usage

I'd download the self-signed certificate, and send it to them, tell them that's what the system is running on right now and what's needed, which should be the same the CSR asks for.

HTH

java

if this helps, please rate
Beginner

Re: IM&P cup-xmpp certificate/CSR - Change extended key usage

Judging by the response to this similar issue, I would say you are out of luck :(
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd91798/?rfs=iqvred
Thanks,
Justin Ferello
Beginner

Re: IM&P cup-xmpp certificate/CSR - Change extended key usage

Hi Justin,

 

From the Link I can pick up that Tomcat does not need Ipsec, I need confirmation from Cisco that IpSec is no needed for XMPP as well.

 

Then I will be able to generate a cert from a CMS Server and add all the necessary info and send it off to my PKI Team.

Beginner

Re: IM&P cup-xmpp certificate/CSR - Change extended key usage

How would that work? You cannot upload a private key in UCOS.
Thanks,
Justin Ferello
Beginner

Re: IM&P cup-xmpp certificate/CSR - Change extended key usage

Just trying al avenues as this issue is holding back multiple Projects as we are not able to add more domains to allow users from other Countries to use Jabber.

 

 

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards