Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1048
Views
5
Helpful
2
Replies

Question: Certificates on Expressway C and E

Go to solution
tschafferx
Level 1
Level 1

‎02-19-2019 02:38 AM

Hello world,

 

in the "Mobile and Remote Access via Cisco Expressway Deployment Guide" there is a line that says:

Install on both Expressways the trusted Certificate Authority (CA) certificates of the authority that signed the Expressway's server certificates.

That makes sense, since each respective expressway has to validate the presented certificate.

My question is, whether it would also work to just upload the respective server certificate of each expressway to each other?

This is just a hypothetical question.

 

Thank you in advance.

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jaime Valencia
Cisco Employee
Cisco Employee

‎02-19-2019 07:01 AM

According to the help from that page, no, it would not, as you wouldn't have the full chain of trust:

 

The Trusted CA certificate page (Maintenance > Security > Trusted CA certificate) allows you to manage the list of certificates for the Certificate Authorities (CAs) trusted by this Expressway. When a TLS connection to Expressway mandates certificate verification, the certificate presented to the Expressway must be signed by a trusted CA in this list and there must be a full chain of trust (intermediate CAs) to the root CA.

HTH

java

if this helps, please rate

View solution in original post

2 Replies 2

Go to solution
Jaime Valencia
Cisco Employee
Cisco Employee

‎02-19-2019 07:01 AM

According to the help from that page, no, it would not, as you wouldn't have the full chain of trust:

 

The Trusted CA certificate page (Maintenance > Security > Trusted CA certificate) allows you to manage the list of certificates for the Certificate Authorities (CAs) trusted by this Expressway. When a TLS connection to Expressway mandates certificate verification, the certificate presented to the Expressway must be signed by a trusted CA in this list and there must be a full chain of trust (intermediate CAs) to the root CA.

HTH

java

if this helps, please rate

Go to solution
tschafferx
Level 1
Level 1
In response to Jaime Valencia

‎02-19-2019 07:25 AM

Okay, great. Thanks Jaime. Just wanted to verify it. That explains why the server certificate is sufficient if the server certificate was self signed, since there is no chain of trust.

Have a great day.

0 Helpful
Customers Also Viewed These Support Documents