cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
978
Views
0
Helpful
6
Replies

Expressway MRA Certificates - Public CA Not Allowing UCM Registerations Domains

jim.stengle
Level 1
Level 1

We are trying to get public certs for a clustered MRA deployment. (Two Cores and two Edge servers). The Public CA indicates they will not allow company.com as a SAN. This is the registrations domain being used. 

 

Any idea how we can get around this?

6 Replies 6

Chris Deren
Hall of Fame
Hall of Fame

Does your customer own the domain you are trying to sign the cert for? If so, what reason is the CA giving you?

The customer does own the domain.

 

I am trying to find out the reason given. They did indicate they could combine both Expressway-Es on the same cert and then add mclaneco.com. I am not a certificate guy, so I am not sure what they are meaning there.

 

I am thinking since this is a cluster, I cannot have the two devices using the same cert. 

Expressway C and E are not clustered together, Cs are one cluster, and Es are another, you only need publicly signed cert for your Expressway E cluster. Here is link to Expressway cert guide in case you have not seen it:

 

https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X12-5/Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X12-5.pdf

Sorry for the confusion. I am clustering only my Expressway-Es and then I have another cluster for the Expressway-Cs.

My problem is just with the certificates for the Exp-Es. 

Did you get a chance to review the doc?

For clustered environment here are important snippets:

 

Server Certificates and Clustered Systems

When a CSR is generated, a single request and private key combination is generated for that peer only.If you have a cluster of Expressways, you must generate a separate signing request on each peer. Those requests must then be sent to the certificate authority and the returned server certificates uploaded to each relevant peer.

You must ensure that the correct server certificate is uploaded to the appropriate peer, otherwise the stored private key on each peer will not correspond to the uploaded certificate.

 

If the Expressway is clustered, with individual certificates per Expressway:

  • Subject Common Name = FQDN of cluster
  • Subject Alternate Name = FQDN of Expressway peer, FQDN of cluster*

Hello,

 

Adding one more point in @Chris Deren 

If they are not adding only domain in SAN then you can use _collab-edge with domain entry.that will also serve the same purpose for MRA.

 

Thanks

Please rate if it is helpful...

Thanks
Please rate if it is helpful and mark as accepted solution if applicable....