Jaime, 

The Android device has in it's Trusted Cardentials folder many kinds of Public Roout CAs.

one of the is the The Go Daddy Group, Inc.

the Jabber client doesnt need to have the Express E certificate in order to trust it, the Jabber needs to have the Express E Root CA in its trusted certificates store, exactlly like Jabber that works internaly when it register to IMP, CUCM and CUC, the hosted PC doesnt have all the certificatess from all servers installed.

if they are coming from the same Domain and all the UC servers have been signed by the local CA the PC will trust the servers.

No, you are wrong in all of that.

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/11_6/cjab_b_on-premises-deployment-ciscojabber-116/cjab_b_on-premises-deployment-ciscojabber-116_chapter_01100.html

Both for on-prem, and MRA, you NEED to deploy the certificates.

Cisco Jabber validates server certificates when authenticating to services. When attempting to establish secure connections, the services present Cisco Jabber with certificates. Cisco Jabber validates the presented certificate against what is in the client device's local certificate store. If the certificate is not in the certificate store, the certificate is deemed untrusted and Cisco Jabber prompts the user to accept or decline the certificate.

If the user accepts the certificate, Cisco Jabber connects to the service and saves the certificate in the certificate store or keychain of the device . If the user declines the certificate, Cisco Jabber does not connect to the service and the certificate is not saved to the certificate store or keychain of the device.

If the certificate is in the local certificate store of the device, Cisco Jabber trusts the certificate. Cisco Jabber connects to the service without prompting the user to accept or decline the certificate.

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/11_6/cjab_b_planning-guide-cisco-jabber-116/cjab_b_planning-guide-cisco-jabber-116_chapter_0111.html

No, you don't need to deploy the server certificate to the devices. In this case a public well known CA is being used and therefore the problem is with the endpoint or the certificate itself. It's not that deployment has not been completed.

From your reference links -

"If you use a well-known public CA, then the CA certificate may already exist on the client certificate store or keychain. If so, you need not deploy CA certificates to the clients."

shacharalon7 is correct in his statement that he should not have to deploy certificates for the Expressway edge functionality to work correctly.

shacharalon7  You'll want to check that the certificate is actually valid. I see that it is missing details....

EDIT: I went back and looked and you're missing the services domain in the SAN - add only 'netafin.com' as a SAN entry and you should be good to go.

Hi Joshua,

Thanks for your replay, can you please elaborate on where do i need to add the "services domain".

Should it be in the  CSR from the Expressway E ?

BR

Shachar

I have the same issue guys, i am not sure what it means to use services domain in the SAN..

Please help

Tom