CUMA: Private Key Sharing - how to export private Keys ?

ffischer · ‎09-07-2011

Helle Voice Gurus,

here comes a question from a Security, Firewall-&VPN-Guy:

Pls have a look on Figure 54-4 How the Security Appliance Represents Cisco UMA – Private Key Sharing

http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/unified_comm_cuma.pdf

How can I export the certificate from the CUMA including the corresponding private key ?

(The private key is generated together with the Certs public key during creation of the CSR)

For me it looks like the file produced by the Download of a .cer file described in the CUMA

manuals contains only the public part of the Certificate.

Can I export the private key itself ?

Or extract it directly from the CUMA Server file system somehow ?

I'm familiar with fiddling X.509 Certs using openssl...

Thanks a lot in advance,

Frank

michael-luo · ‎09-07-2011

Figure 54-4 was for the scenario that you adding an ASA to an existing CUMA environment. I don't think this would even exist - it means someone put the CUMA on the public Internet before (without ASA). I don't think it's an supported deployment.

Anyway, if you got the certificate from your certificate provider, you should have the private key from them.

What we usually do was described in Figure 54-5 (green field deployment). We installed a CA-issued certificate on ASA. For communication between ASA and CUMA, we use private CA or self-signed cert.

Michael

ffischer · ‎09-08-2011

I'm talking about the certificate used in the TLS connection

to the mobile devices out there in the internet.

We have Greenfield. CUMA is aleady basically setup, ASA not yet.

We have to decide where to do the enrollment with a commercial certificate provider, i.e. Verisign

Michael, you said:

"Anyway, if you got the certificate from your certificate provider, you should have the private key from them."

Well... keep in mind that all certificate security is based on the principle keeping the private keys private !

The certificate provider keeps its' CA private keys used for signing private,

and a certificate customers' private key may never leave "the house",

as this could compromise the certificate.

No certificate provider singing your CSRs during the enrollment has any idea of your private key !

After verification that the CSR is authentic and you are authorized for the domainname in the subject,

he simply creates a checksum over the cerificate fields like Common Name, X.509 extensions, togehther with your public key and "signs" that checksum with his private key to certify that its authentic.

I would have my certificates' private key only if key generation and enrollment takes place outside the CUMA.

and then imported into the cuma as PFX/PKCS#12 file or as seperate files for Key + Certificate.

What if I used the CUMA Server to enroll a Cert with Verisign ?

In that case a keypair (public/private) is generated on the CUMA and only

the public key is sent to Verisign together with the field values ans several hundred $$$$ to be signed.

The answer (Cert) from Verisign is then imported to the CUMA, but my private key never left the CUMA.

So, if I understand you correctly:

We can import a certificate together with its private key to be used as server certificate for TLS to the CUMA.

But no way to export a private key or a certificate including the corresponding private key from the CUMA.

Keep in mind the case that the CUMA Appliance may have to be re-imaged or replaced

what would result in loss of the private key = the amount paid for the certificate !

In that case I would urgently recommend not to perform the enrollment on the CUMA
but genrate the key pair and do the enrollment with the certificate provider externally.