We have several 7921G phones which we want to integrate in our WiFi network.
Such WiFi is protected by using EAP-TLS, so we have installed the corresponding
certificates to one testing phone. We have discovered that the phone does not
support certificates with RSA keys with a size greater than than 2048 bits and,
at the same time, their signatures must be always generated by using the SHA1
hashing algorithm. This fact also appears in the related documentation of the
phone. As a consequence we have a problem since the root certificate of the CA
use a key of 4096 bits and the SHA256 algorithm. We have also updated the
firmware to the latest version without success regarding this. Anyone knows if
there is any plan to a firmware update to support keys with a greater size and
another hashing algorithms? Currently, SHA1 algorithm is considered as
deprecated and the security community recommends to use another hash algorithm,
as the same as occurs with the size of the keys.
It is true that the 7921 is not sold any longer but is supported through Nov 2014.
So will offer software release for the 7921 until then.
However, the 7921 and 7925/7926 will not support certs with 4096 bit keys or SHA-2 signatures.
Any future handsets will have 4096 bit key and SHA-2 support though.
Sent from Cisco Technical Support iPhone App
This 7921G already EoL product list, so do not expect any firmware update for it.
I do not think even any newer phones 7925G will support 4096 bit keys as well.7925G only support key length of 1024 or 2048. Refer this deployment guide for detail (page 97)
*** Pls rate all useful responses *****