Cisco Bug: CSCuq73658 - KeyAgreement, IPsec End System,Cert Sign bit is required or optional
Mar 02, 2018
- Cisco Unified Communications Manager (CallManager)
Known Affected Releases
Symptom: - The following CSR's contain the KeyAgreement Bit: CUPS version 220.127.116.11900-1: tomcat cup-xmpp cup-xmpp-s2s ipsec CUCM version 18.104.22.16800-28: tomcat CallManager TVS ipsec - The following document states that the KeyAgreement bit is included in the CSR, however does not reference the bits requirement. We need to know if this is an Optional or Require bit: Cisco Unified Communications Operating System Administration Guide, Release 10.0(1) Security Third-Party CA Certificates: http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/cucos/10_0_1/CUCM_BK_C2F2626C_00_cucm-os-admin-guide-100/CUCM_BK_C2F2626C_00_cucm-os-admin-guide-100_chapter_0110.html#CUCM_RF_TF4B6BF0_00 <quote> The CSRs for Cisco Unified Communications Manager, Tomcat, and IPsec use the following extensions: X509v3 extensions:X509v3 Key Usage: Digital Signature, Key Encipherment, Data Encipherment, Key Agreement </quote> - If the CA does not include the KeyAgreement bit in the Signed Certificate the Certificate Management process accepts the certificate when uploading the new certificate, without checking for this bit. Since there are many 3rd party Public and Private Certificate Authorities excluding this bit by default, we do not know or understand the impact this will cause on the system. The document does not reflect the true meaning or requirement of the KeyAgreement bit. - Since the document does not specify or the Server does not restrict this bit, customer are re-configuring or re-designing there National or even Global Private Certificate Authorities to include the KeyAgreeement Bit from there default settings. Conditions: - This affects all CUCM & IM&P server versions starting from CallManager 3.x and onwards.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases