> On Jan 24, 2018, at 1:33 AM, Gladewitz, Robert via openssl-users <openssl-users@xxxxxxxxxxx> wrote: > > Nevertheless, a problem remains open for the Cisco CUCM users. If these use > the certificate internally signed by Cisco, the attributes are set as in the > discussion and can not be subsequently adapted in our case. This means that > for these users only the change to a non openssl based application remains - > really sad. Can you be a bit more explicit as to why these users cannot deploy a certificate chain via an alternate CA that does not have a problem EKU (just as you did)? Is it not possible to replace the intermediate CA certificate with one that either has no EKU or has a more complete EKU that lists both "serverAuth" and "clientAuth" (shorter OpenSSL names for the EKUs under discussion). There are surely some Cisco Engineers reading this list. Ideally someone from Cisco will reach out to the OpenSSL team (say myself) and we can help them update the product to avoid compatibility issues. I've posted a feedback comment at: https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/212214-Tech-Note-on-CAPF-Certificate-Signed-by.html#anc7 Perhaps they'll reach out. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users