• The CSRs for Cisco Unified Communications Manager, Tomcat, and IPsec use the following extensions:X509v3 extensions:
X509v3 Key Usage:
•Digital Signature, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign
X509v3 Extended Key Usage:
•TLS Web Server Authentication, TLS Web Client Authentication, IPsec End System
Readhing what each of these does...I highly doubt that this is accurate. First of all, none of Cisco's guides show using anything but Digtial Signature and Key Encipherment for the tomcat cert. Not to mention that you can't even create such a template as above with Windows CA servers without building a custom inf and importing it.....I really doubt that there are many users that have ever done that for their cucm certs.
CUC OS guide states:
•The CAPF CSR uses the following extensions:
X509v3 extensions: X509v3 Key Usage: Digital Signature, Certificate Sign X509v3 Extended Key Usage: TLS Web Server Authentication, IPSec End System
•The CSRs for Cisco Unified Communications Manager, Tomcat, and IPSec use the following extensions:
X509v3 Key Usage: Digital Signature, Key Encipherment, Data Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication, IPSec End System
Clearly different requirements for the tomcat cert than in CUCM. And again bizarre things like Key Encipherment and Key Agreement..which are mutually exclusive in Microsoft CA templates. I simply cannot beleive these are accurate.
My hypothesis is that the CUCM, Tomcat and IPSec certs all need different x509v3 usage templates...but Cisco hasn't bothered to break them out. Can we please get accurate confirmation of what is needed for these certs??? Along with the IOS certs for secure SIP and secure conferencing...clear requirements for VCS would be nice. These seem a bit vauge as well. I think we are at the point where a clear and concise PKI doc for UC may be needed...or at least a very detailed chapter the SRND.
Are you getting this error “Installer User Interface Mode Not Supported. The installer cannot run in this UI mode. To specify the interface mode, use the -i command-line option, followed by the UI mode identifier. The value UI mode identifiers...
The below trick might come handy when you have to add a new node to a cluster but you don't have or is unsure of the security password for the publisher. This procedure has been around for ages.
1) Login into the CLI of the Publisher.