We are busy performing dot1x tests on IP Phones. We chose the LSC approach and have generated CAPF CSRs which we have signed by our PKI infrastructure.
Once all certificates and trust have been uploaded and when we update the CUCM CTL with the Cisco CTL client tool, we received the following error message
“Could not get CAPF certificate(s).CAPF seems to be running on the CUCM Publisher but the certificate file(s) do not exist in the Certifiicate trust path on Server”
We searched Neptro with an explanation on this and found that article:
In our setup we one issuing CA in the certification path has n key of 4096 bits. This is imposed by our Security Policy and can’t be workaround from a security policy point of view.
We then had the CAPF CSR regenerated and had a test CA with an encryption key of only 2048 bit sign our certificate and Dot1x authentication. This worked just fine and test Ip Phones can now authenticate..
My question is, is that a known limitation of Cisco Callmanager which is unable to handle certificates signed by a PKI in which one of the CA has a key of more that 2048 bits. Or is this a bug related to our 220.127.116.1100-10 CUCM version.
Is there a way to bypass that limitation or a precise version of callmanager correcting it?