Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
593
Views
5
Helpful
3
Replies

Jabber Expressway certificates

Cisco.Rookie
Level 1
Level 1

‎06-14-2018 12:13 PM - edited ‎03-17-2019 07:35 PM

Hello friends

 

I am newbie here. I am trying to understand how is the certificate process works in Expressway. Do we need to go with a Public CA, is it mandatory. My questions are, I understood we need to install the root certificates of CA in both C and E. Then sign the CSR and install that as well. 

 

I appreciate is some one can explain to me in simple terms. The certifcate deployment guides are bit confusing for me.

 

 

Thanx

 

0 Helpful
3 Replies 3

R0g22
Cisco Employee
Cisco Employee

‎06-14-2018 12:33 PM

For Jabber, the actual client does not present it's certificates to Expressway-E. Jabber only presents the credentials. It's the other way around, Expressway-E presents it's certificate to Jabber which the underlying OS (iOS, MacOS, Android, Windows) needs to trust.

Since the Ewy-E is the one interfacing with public internet (either via NAT or without NAT) and is the one that would present it's certificate to potential clients, it is recommended to have it's certificate signed by a public CA which is globally trusted.

Remember to not stack the certificates (identity and root should be separate) and wildcard certificates are not supported.

Cisco.Rookie
Level 1
Level 1
In response to R0g22

‎06-14-2018 12:38 PM

Thanks Nipun. Also, signing the Exp-C with the internal CA and Exp-E with Public CA is a recommended design, right ? or is that a best practice to sign both C and E with Public CAs.

 

Another question in mind, do all the CUCM/IMP/UnityCXn certs needs to be installed on C & E and vise-versa.

 

 

Thanx

0 Helpful

R0g22
Cisco Employee
Cisco Employee
In response to Cisco.Rookie

‎06-14-2018 12:46 PM

Certificate SAN will need to have the collab-edge SRV domain(s) (service discovery domain) for Ewy-E.
On Ewy-C, if you have a mixed mode CM (phones having encrypted security profiles), the SAN will contain the phone security profile names.

In addition to the above, if there is IM&P federation in use, IM&P chat node aliases will need to be part of SAN as well. This is for TLS XMPP federation.

0 Helpful
Customers Also Viewed These Support Documents