[cisco-voip] CUCM 7.0.2 Generate CSR Tomcat 1024 to 2048

Wes Sisk wsisk at cisco.com
Fri Feb 25 13:03:37 EST 2011 

I believe there are some dependencies there that may not be clear.  
Consider:
CSCtn01236    2048 bit certs
CSCsv32209    Unified OS Browser hangs display certificate with bit key 
more than 1024

It appears dependent on version and the type of certificate being used.

Regards,
Wes



On 2/25/2011 12:15 PM, Ryan Ratliff wrote:
> You don't get to pick what's used for the CSR, you just have to 
> generate it and see what it's using.
>
> CUCM 8.0(3) generates 2048-bit CSRs for tomcat by default.
>
> rratliff-mac:Desktop rratliff$ openssl req -text -noout -in tomcat.csr
> Certificate Request:
>     Data:
>         Version: 0 (0x0)
>         Subject: CN=rratliff-cucm-8-pub.voip.rratliff.local, OU=TAC, 
> O=Cisco, L=RTP, ST=NC, C=US
>         Subject Public Key Info:
>             Public Key Algorithm: rsaEncryption
>             RSA Public Key: (2048 bit)
>                 Modulus (2048 bit):
>
> -Ryan
>
> On Feb 25, 2011, at 11:46 AM, Mike King wrote:
>
> No CA will issue a certificate of less than 2048 due to the NIST 
> issuing recommendation 
> http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf that 
> Sizes of less than 2048 not be accepted.
>
> The Real traction to this is that Microsoft (and all browser makers 
> (Opera, Mozilla, Chrome)) have stated they will remove All 1024 bit CA 
> certs from they're products as of December of 2010. (In support of the 
> NIST deadline, detailed above)
> http://technet.microsoft.com/en-us/library/cc751157.aspx
>
> I'm not sure how to get CUCM to generate a 2048 CSR.
>
> Do these docs help?
>
> http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/cucos/7_1_2/cucos/iptpch6.html#wp1046223
>
> http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/security/7_0_1/secugd/secuview.html#wp1147888
>
> Mike
>
> On Fri, Feb 25, 2011 at 11:28 AM, Jimhend FORTIN Dany 
> <jeterapres at hotmail.com <mailto:jeterapres at hotmail.com>> wrote:
>
>     Hello,
>
>     I want to sign a CSR Tomcat SSL by a recognized authority. But my
>     file is not accepted because it seems to be in 1024 and most
>     authorities agree that CSR Certification of 2048.
>
>     Is there a company cheap that accepts CSR of 1024? Otherwise, how
>     can that CUCM generates a CSR of 2048?
>
>     Thank you for your time
>
>     Dany
>
>     Jimhend jeterapres at hotmail.com <mailto:jeterapres at hotmail.com>
>
>
>
>     _______________________________________________
>     cisco-voip mailing list
>     cisco-voip at puck.nether.net <mailto:cisco-voip at puck.nether.net>
>     https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net <mailto:cisco-voip at puck.nether.net>
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20110225/57673bc8/attachment.html>

More information about the cisco-voip mailing list