[cisco-voip] CUCM 7.0.2 Generate CSR Tomcat 1024 to 2048

Jason Burns burns.jason at gmail.com
Fri Feb 25 13:51:00 EST 2011


Dany,

The defect that adds this functionality to CUCM for Tomcat is

CSCso62711 - Cert Manager should generates Tomcat CSR using RSA 2048 instead
of 1024

Unfortunately, this defect was only fixed in the 8.0(3) versions of CUCM and
newer.

With the information that Mike provided below (and current CA behavior), I
can see merit in porting this change back to older versions for the Tomcat
service. If you look through the past threads on this forum I'll think
you'll see most people requesting the enhanced key size for Tomcat certs.

Would you be willing to open a service request and unicast me the case
number so I can look into asking devs to back port the fix? If I make any
progress (or get a definitive no) I can respond back to the alias with my
results.

-Jason


On Fri, Feb 25, 2011 at 1:03 PM, Wes Sisk <wsisk at cisco.com> wrote:

>  I believe there are some dependencies there that may not be clear.
> Consider:
> CSCtn01236    2048 bit certs
> CSCsv32209    Unified OS Browser hangs display certificate with bit key
> more than 1024
>
> It appears dependent on version and the type of certificate being used.
>
> Regards,
> Wes
>
>
>
>
> On 2/25/2011 12:15 PM, Ryan Ratliff wrote:
>
> You don't get to pick what's used for the CSR, you just have to generate it
> and see what it's using.
>
>  CUCM 8.0(3) generates 2048-bit CSRs for tomcat by default.
>
>  rratliff-mac:Desktop rratliff$ openssl req -text -noout -in tomcat.csr
> Certificate Request:
>     Data:
>         Version: 0 (0x0)
>         Subject: CN=rratliff-cucm-8-pub.voip.rratliff.local, OU=TAC,
> O=Cisco, L=RTP, ST=NC, C=US
>         Subject Public Key Info:
>             Public Key Algorithm: rsaEncryption
>             RSA Public Key: (2048 bit)
>                 Modulus (2048 bit):
>
>  -Ryan
>
>  On Feb 25, 2011, at 11:46 AM, Mike King wrote:
>
> No CA will issue a certificate of less than 2048 due to the NIST issuing
> recommendation
> http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf that
> Sizes of less than 2048 not be accepted.
>
>  The Real traction to this is that Microsoft (and all browser makers
> (Opera, Mozilla, Chrome)) have stated they will remove All 1024 bit CA certs
> from they're products as of December of 2010. (In support of the NIST
> deadline, detailed above)
> http://technet.microsoft.com/en-us/library/cc751157.aspx
>
>  I'm not sure how to get CUCM to generate a 2048 CSR.
>
>  Do these docs help?
>
>
> http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/cucos/7_1_2/cucos/iptpch6.html#wp1046223
>
>
> http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/security/7_0_1/secugd/secuview.html#wp1147888
>
>  Mike
>
> On Fri, Feb 25, 2011 at 11:28 AM, Jimhend FORTIN Dany <
> jeterapres at hotmail.com> wrote:
>
>>  Hello,
>>
>> I want to sign a CSR Tomcat SSL by a recognized authority. But my file is
>> not accepted because it seems to be in 1024 and most authorities agree
>> that CSR Certification of 2048.
>>
>> Is there a company cheap that accepts CSR of 1024? Otherwise, how can
>> that CUCM generates a CSR of 2048?
>>
>> Thank you for your time
>>
>> Dany
>>
>> Jimhend jeterapres at hotmail.com
>>
>>
>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>>
>  _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
> _______________________________________________
> cisco-voip mailing listcisco-voip at puck.nether.nethttps://puck.nether.net/mailman/listinfo/cisco-voip
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20110225/d037fadb/attachment.html>


More information about the cisco-voip mailing list