I have a Cisco Expressway 8.7, i did the integration successfully, everything works as expected except for the certificates.
I went over the Guide: "Cisco Expressway Certificate Creation and Use" and i signed the CSR of Expressway E using GoDaddy CA.
no meter what convension of signing i used, i am still getting an untrusted certificate message while i am trying to connect the expressway threw Jabber on android.
attached is the respons i am getting from the server.
Is there a chance that Jabber doesnt trust Go Daddy Secure Certificate Authority - G2 ?
This is the same as any other Jabber client, if the certificate IS NOT in the trust store of the device, you'll be prompted to accept it, or not.
The question would be, did you distributed that certificate to your device, BEFORE trying to use MRA??
If the answer is no, then what you're seeing, is the expected behavior.
If yes, then you might need to look into Android and why it's not using it.
The Android device has in it's Trusted Cardentials folder many kinds of Public Roout CAs.
one of the is the The Go Daddy Group, Inc.
the Jabber client doesnt need to have the Express E certificate in order to trust it, the Jabber needs to have the Express E Root CA in its trusted certificates store, exactlly like Jabber that works internaly when it register to IMP, CUCM and CUC, the hosted PC doesnt have all the certificatess from all servers installed.
if they are coming from the same Domain and all the UC servers have been signed by the local CA the PC will trust the servers.
No, you are wrong in all of that.
Both for on-prem, and MRA, you NEED to deploy the certificates.
Cisco Jabber validates server certificates when authenticating to services. When attempting to establish secure connections, the services present Cisco Jabber with certificates. Cisco Jabber validates the presented certificate against what is in the client device's local certificate store. If the certificate is not in the certificate store, the certificate is deemed untrusted and Cisco Jabber prompts the user to accept or decline the certificate.
If the user accepts the certificate, Cisco Jabber connects to the service and saves the certificate in the certificate store or keychain of the device . If the user declines the certificate, Cisco Jabber does not connect to the service and the certificate is not saved to the certificate store or keychain of the device.
If the certificate is in the local certificate store of the device, Cisco Jabber trusts the certificate. Cisco Jabber connects to the service without prompting the user to accept or decline the certificate.
No, you don't need to deploy the server certificate to the devices. In this case a public well known CA is being used and therefore the problem is with the endpoint or the certificate itself. It's not that deployment has not been completed.
From your reference links -
"If you use a well-known public CA, then the CA certificate may already exist on the client certificate store or keychain. If so, you need not deploy CA certificates to the clients."
shacharalon7 is correct in his statement that he should not have to deploy certificates for the Expressway edge functionality to work correctly.
shacharalon7 You'll want to check that the certificate is actually valid. I see that it is missing details....
EDIT: I went back and looked and you're missing the services domain in the SAN - add only 'netafin.com' as a SAN entry and you should be good to go.
Thanks for your replay, can you please elaborate on where do i need to add the "services domain".
Should it be in the CSR from the Expressway E ?