08-08-2017 02:55 AM - edited 03-17-2019 07:00 PM
Hi!
Until now we have configured CUCM, IMP, CUC ... and Expressway-C in a .local domain.
Expressway-E has a .public domain, howewer we used a certificate for our private CA. The disadvantage using our CA is that we need to import the root CA cert on every mobile device.
Now we need to change the domain of Expressway-E and would like to buy a new certificate from a third-party CA, also to avoid to install the root Ca cert on evenry device.
But on the corporate network Jabber would still need the root CA of our private CA, is that right? Othereise the user would become the error message bacause of the certificate and should accect that.
What is the best way to go?
I would appreciate any help.
Best regards
Mirko
08-08-2017 07:26 AM
The only way to prevent users from getting the certificates error on-prem, is to distribute the server certificates to their devices prior to them connecting. The Jabber documentation discusses this point.
08-09-2017 12:31 AM
Thanks for your reply Jamie!
But let's assume I would change the domain of CUCM, IMP and Expressway-C to the same domain as Expressway-E and use in the corporate network the public certificate too.
The mobile devices should not getting the certificate error, because the certificate would be public. Could this be a possibility to avoid to distribute the certificate?
08-09-2017 03:38 AM
Hi,
Technically yes you will avoid the certificate distribute when you can public certificate on all servers. But you need to consider that you required 1-2 cucm, 3 IMP SSL certificates additional to UC certificate on Expressway C & E.
Other solution is teach or have a document sent to all users on how install the CA on their devices or have central management mobile application but the issue with that is you will be managing other's mobile devices.
Regards,
Muaaz
08-09-2017 04:06 AM
Thank you for the quick reply Muaaz, It was very helpful!
We will think about it, I thought maybe to use 1 wildcard (should be supported for CUCM, IMP, CUC) and 2 for Expressway C+E.
But changing the domain would be also a critical thing...
Maybe we will buy only a public certificate for Expressway-E and write a quick guide for the users.
Mirko
08-09-2017 04:18 AM
Hi Mirko,
Just to let you know that the Expressways, CUCM & IMP not supported wild certificate.
Regards,
Muaaz
08-09-2017 05:24 AM
Hi Muaaz,
not so good, I was conviced, that only Expressway doesn't support wildcard.
So we will most likely create the certificate for the internal server again with our CA.
Thanks a lot for the help.
Regards
Mirko
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: