topic Hi Jaime, in Collaboration Applications

Certificate for Jabber with MRA

Hythim Ali El Hadad — Mon, 18 Mar 2019 01:52:10 GMT

Hi,

We have deployed jabber for windows and jabber for iphone with CUCM,CUC,IM&P, EXPc and EXPe

I see I'll generate CSR from all servers CUCM,CUC,IM&P tomcat and xmpp for IM&P and to sign it with a private CA and put it in he trust store to be trusted by our users. Where I'll upload the signed certificate . is this will be to tomcat also or tomcat-trust on each server ? also xmpp to be uploaded as xmpp also ?

But how this will be trusted by the jabber for iphone ? or I must use public CA for this ?

Also for EXPc and EXPe, which certificate will I generate knowing that I have generate CSR and sign it with private CA with client server template. So i think I can't regenrate another CSR. will I use the same generated signed CSR or only to sign the EXPe with client server template also with public CA to be trusted on both jabber windows and jabber mobile ?

Finall question, Can I sign all certificates with private CA except EXPe . and to sign it with public CA ? so I'll get the generated CSR and to create the client server template on the public CA and to sign the certificate ?

please don't forget how jabber for iphone will trust the certificates signed by private CA or there is no way to sign it with public CA but the IT team tell it is too expensive .

IT team tell me he can give me wildcard certificate but I tell him it still not supported. wish Cisco could support this soon

Thanks

You upload the root CA to the

Jaime Valencia — Wed, 24 May 2017 03:03:24 GMT

You upload the root CA to the z-trust store for each cert you're going to have signed, then upload the relevant server certificate.

They won't be trusted, even if they're signed by a public CA, you need to deploy those certificates to the device's trust store in order to prevent any notification about the certificates.

The certificate you want to have signed by a public CA, is the EXP-E, and it needs to have server/client authentication, that last bit is for BOTH expressways, the certificate will be rejected if those are not configured.

http://docwiki.cisco.com/wiki/Certificates_FAQ

Hi Jaime,

Hythim Ali El Hadad — Wed, 24 May 2017 05:48:39 GMT

Hi Jaime,

I see I need public CA for the EXPe And to go with private CA for all other servers including EXPc . But how this private signed certificate be trusted by mobile phones ? The trust store will affect only domain users on PCs.

That's why you need to use

Jaime Valencia — Wed, 24 May 2017 16:05:15 GMT

That's why you need to use something like an MDM to push those certificates to the devices.

What if we use public CA for

Hythim Ali El Hadad — Thu, 25 May 2017 08:04:30 GMT

What if we use public CA for EXPe only and private CA for all other [cucm,cuc,im&p nd EXPc]

Will I get certificate pop up when connecting from mobile for the internal servers ?

Do you know if Cisco will support wildcard certificate in the near time ?

Thanks

What if we use public CA for

ucanduc — Thu, 25 May 2017 13:22:45 GMT

What if we use public CA for EXPe only and private CA for all other [cucm,cuc,im&p nd EXPc]

This is exactly the design recommandation for certificates. Expressway-E uses Public CA and all internal servers use Private CA.

Will I get certificate pop up when connecting from mobile for the internal servers ?

As long as mobile devices don't trust your Private CA, yes.

Moreover, your deployment must be FULLY using FQDNs to avoid the certificate popups, because trust is verified by cross checking the FQDN shown in the certificate and the FQDN of the server to which you are trying to connect.

To facilitate that, you should work first on Jabber for Desktop (since they are in the domain) so that it doesn't show popups internally. After that, extrapolate this to Mobile Users by importing the Private CA root certicate to the mobile devices.

But why insisting on that since the Certificate Verification will be checked only once as the user logs in for the first time and afterwards it won't be popped up again.

Do you know if Cisco will support wildcard certificate in the near time ?

- My personal opinion - I don't think it will be supported. The same problem exists in other Unified Communications solutions (eg Microsoft S4B), the wildcard certificate is not supported there too.

Bear in mind that you do not

Jaime Valencia — Thu, 25 May 2017 13:30:08 GMT

Bear in mind that you do not only need the root CA on the devices, you need the server certificates to be loaded in the devices to avoid the certificate warnings.

In addition to the great

john michael marie rodriguez — Wed, 31 May 2017 21:44:59 GMT

In addition to the great answers here. its also considered to upload external certificates to call managers instead of internal signed certificates to avoid the certificate prompts in the mobile phones connecting through MRA.