cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5292
Views
6
Helpful
8
Replies

Cisco ExpressWay Public Certificate Trust Problem

shacharalon7
Level 1
Level 1

Hi,

I have a Cisco Expressway 8.7, i did the integration successfully, everything works as expected except for the certificates.

I went over the Guide: "Cisco Expressway Certificate Creation and Use" and i signed the CSR of Expressway E using GoDaddy CA.

no meter what convension of signing i used, i am still getting an untrusted certificate message while i am trying to connect the expressway threw Jabber on android.

attached is the respons i am getting from the server.

Is there a chance that Jabber doesnt trust Go Daddy Secure Certificate Authority - G2 ?

BR

Shachar


					
				
			
			
				
			
			
				
			
			
			
			
			
			
		
8 Replies 8

Jaime Valencia
Cisco Employee
Cisco Employee

This is the same as any other Jabber client, if the certificate IS NOT in the trust store of the device, you'll be prompted to accept it, or not.

The question would be, did you distributed that certificate to your device, BEFORE trying to use MRA??

If the answer is no, then what you're seeing, is the expected behavior.

If yes, then you might need to look into Android and why it's not using it.

HTH

java

if this helps, please rate

Jaime, 

The Android device has in it's Trusted Cardentials folder many kinds of Public Roout CAs.

one of the is the The Go Daddy Group, Inc.

the Jabber client doesnt need to have the Express E certificate in order to trust it, the Jabber needs to have the Express E Root CA in its trusted certificates store, exactlly like Jabber that works internaly when it register to IMP, CUCM and CUC, the hosted PC doesnt have all the certificatess from all servers installed.

if they are coming from the same Domain and all the UC servers have been signed by the local CA the PC will trust the servers.

No, you are wrong in all of that.

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/11_6/cjab_b_on-premises-deployment-ciscojabber-116/cjab_b_on-premises-deployment-ciscojabber-116_chapter_01100.html

Both for on-prem, and MRA, you NEED to deploy the certificates.

Cisco Jabber validates server certificates when authenticating to services. When attempting to establish secure connections, the services present Cisco Jabber with certificates. Cisco Jabber validates the presented certificate against what is in the client device's local certificate store. If the certificate is not in the certificate store, the certificate is deemed untrusted and Cisco Jabber prompts the user to accept or decline the certificate.

If the user accepts the certificate, Cisco Jabber connects to the service and saves the certificate in the certificate store or keychain of the device . If the user declines the certificate, Cisco Jabber does not connect to the service and the certificate is not saved to the certificate store or keychain of the device.

If the certificate is in the local certificate store of the device, Cisco Jabber trusts the certificate. Cisco Jabber connects to the service without prompting the user to accept or decline the certificate.

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/11_6/cjab_b_planning-guide-cisco-jabber-116/cjab_b_planning-guide-cisco-jabber-116_chapter_0111.html

HTH

java

if this helps, please rate

No, you don't need to deploy the server certificate to the devices. In this case a public well known CA is being used and therefore the problem is with the endpoint or the certificate itself. It's not that deployment has not been completed.

From your reference links -

"If you use a well-known public CA, then the CA certificate may already exist on the client certificate store or keychain. If so, you need not deploy CA certificates to the clients."

shacharalon7 is correct in his statement that he should not have to deploy certificates for the Expressway edge functionality to work correctly.

shacharalon7  You'll want to check that the certificate is actually valid. I see that it is missing details....

EDIT: I went back and looked and you're missing the services domain in the SAN - add only 'netafin.com' as a SAN entry and you should be good to go.

Hi Joshua,

Thanks for your replay, can you please elaborate on where do i need to add the "services domain".

Should it be in the  CSR from the Expressway E ?

BR

Shachar

I have the same issue guys, i am not sure what it means to use services domain in the SAN..

Please help

Tom

weihan-lu
Level 5
Level 5

Does it work for your Win or iOS client?

the same behavior from all platforms.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: