Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
735
Views
10
Helpful
6
Replies

Best practice using certificate for Jabber internal and over MRA

mcaldogne
Level 3
Level 3

‎08-08-2017 02:55 AM - edited ‎03-17-2019 07:00 PM

Hi!

Until now we have configured CUCM, IMP, CUC ... and Expressway-C in a .local domain. 

Expressway-E has a .public domain, howewer we used a certificate for our private CA. The disadvantage using our CA is that we need to import the root CA cert on every mobile device.

Now we need to change the domain of Expressway-E and would like to buy a new certificate from a third-party CA, also to avoid to install the root Ca cert on evenry device. 

But on the corporate network Jabber would still need the root CA of our private CA, is that right? Othereise the user would become the error message bacause of the certificate and should accect that.

What is the best way to go?

I would appreciate any help.

Best regards

Mirko

Labels:
0 Helpful
6 Replies 6

Jaime Valencia
Cisco Employee
Cisco Employee

‎08-08-2017 07:26 AM

The only way to prevent users from getting the certificates error on-prem, is to distribute the server certificates to their devices prior to them connecting. The Jabber documentation discusses this point.

HTH

java

if this helps, please rate

mcaldogne
Level 3
Level 3
In response to Jaime Valencia

‎08-09-2017 12:31 AM

Thanks for your reply Jamie!

But let's assume I would change the domain of CUCM, IMP and Expressway-C to the same domain as Expressway-E and use in the corporate network the public certificate too.
The mobile devices should not getting the certificate error, because the certificate would be public. Could this be a possibility to avoid to distribute the certificate?

0 Helpful

Muaaz El Kamali
Level 1
Level 1
In response to mcaldogne

‎08-09-2017 03:38 AM

Hi, 

Technically yes you will avoid the certificate distribute when you can public certificate on all servers. But you need to consider that you required 1-2 cucm, 3 IMP SSL certificates additional to UC certificate on Expressway C & E.

Other solution is teach or have a document sent to all users on how install the CA on their devices or have central management mobile application but the issue with that is you will be managing other's mobile devices.

Regards,

Muaaz

mcaldogne
Level 3
Level 3
In response to Muaaz El Kamali

‎08-09-2017 04:06 AM

Thank you for the quick reply Muaaz, It was very helpful!

We will think about it, I thought maybe to use 1 wildcard (should be supported for CUCM, IMP, CUC) and 2 for Expressway C+E. 

But changing the domain would be also a critical thing...

Maybe we will buy only a public certificate for Expressway-E and write a quick guide for the users.

Mirko

0 Helpful

Muaaz El Kamali
Level 1
Level 1
In response to mcaldogne

‎08-09-2017 04:18 AM

Hi Mirko, 

Just to let you know that the Expressways, CUCM & IMP not supported wild certificate.

Regards, 

Muaaz

0 Helpful

mcaldogne
Level 3
Level 3
In response to Muaaz El Kamali

‎08-09-2017 05:24 AM

Hi Muaaz,

not so good, I was conviced, that only Expressway doesn't support wildcard. 

So we will most likely create the certificate for the internal server again with our CA.

Thanks a lot for the help.

Regards

Mirko

0 Helpful
Customers Also Viewed These Support Documents