topic Re: Significance of adding parent domain as a SAN in UC Certificates in Collaboration Applications

Significance of adding parent domain as a SAN in UC Certificates

osmannayeem — Fri, 13 Aug 2021 08:56:14 GMT

For all UC application, Cisco always auto-populates parent domain while generating CSRs. Can anyone please help me to understand the exact benefit of having this parent domain? What are the use cases? What if we remove parent domain and keep only server SAN while generating CSRs?

Re: Significance of adding parent domain as a SAN in UC Certificates

Roger Kallberg — Fri, 13 Aug 2021 11:22:37 GMT

For example it is used for Jabber clients to not through the warning for certificates at login/connection. Let me turn the question back to you, for what reason do you want to remove it?

Re: Significance of adding parent domain as a SAN in UC Certificates

osmannayeem — Fri, 13 Aug 2021 12:34:51 GMT

good point, thank you! I forgot about certificate warning during Jabber login. So I was updating tomcat cert of our ccx servers. Parent domain always auto-populated by CSR generation prompt, I never give it a thought about the specific purpose. But this time our security team want to know the reason behind adding a parent domain before approving my cert signing request with external CA.

Can you think of any particular usage of it in CCX?

Re: Significance of adding parent domain as a SAN in UC Certificates

Roger Kallberg — Fri, 13 Aug 2021 13:02:27 GMT

Whatever that is automatically added should stay. It’s as simple as that. The things I would recommend to remove is for IMP if there would be other domains than yours that shows up. This can be the case based on directory synchronisation with users that have a non corporate email address.

Not from the top of my head I can’t come up with a use for this in combination with CCX.

Re: Significance of adding parent domain as a SAN in UC Certificates

Adam Pawlowski — Fri, 13 Aug 2021 14:08:51 GMT

Maybe it's still XMPP/BOSH for desktop chat and agent presence?

Re: Significance of adding parent domain as a SAN in UC Certificates

Nithin Eluvathingal — Fri, 13 Aug 2021 14:32:56 GMT

AFAIK Some deployments rely on SANs to implement TLS connections to other Cisco or third-party infrastructure

Why do you want the certificates to be signed by a public CA ? Those certs can be signed by your internal CA.

Parent Domain Field is not a mandatory filed while generating CSR. Below mentioned will be the CSR output When choosing blank and with parent domain.

When it comes to Public CA, the cost will be based on the SAN filed entries.

Based on below Guide, IF you have an issue with CSR and uploaded Certificate, its recommended to go with Blank parent CA.

https://www.cisco.com/c/en/us/support/docs/customer-collaboration/unified-contact-center-express/118855-configure-uccx-00.html

Re: Significance of adding parent domain as a SAN in UC Certificates

shleets — Thu, 19 Jan 2023 16:51:54 GMT

Hello Roger, I'm now being questioned after 8 years of our Multi SAN certs of why we need parent domain. The concern is since it's in the CSR and it's a SAN in the certificate, and that is a security concern to the entire domain I'm told. What is the significance to the parent domain in the CSR and certificate. Are there services reliant on this? If it's not added will things break in the environment or what should out expectation be? Any guidance will help drive a discussion with our security team.

Re: Significance of adding parent domain as a SAN in UC Certificates

Roger Kallberg — Thu, 19 Jan 2023 18:59:33 GMT

Not sure if I understand the security concerns with this. Can you please elaborate on this?

Re: Significance of adding parent domain as a SAN in UC Certificates

j.a.m.e.s — Wed, 04 Jun 2025 09:11:54 GMT

Hi Nitin,

Do you know if this workaround of "Empty Parent Domain Field", then injecting only the relevant SAN entries via the CA would be valid for CUC as well?

Security folks don't like receiving a CSR which is requesting the company TLD as a SAN. The accepted answer on this thread saying "it should stay, simple as that" isn't going to cut it.

Thank you for any insight.