Solved: Significance of adding parent domain as a SAN in UC Certificates

osmannayeem · ‎08-13-2021

For all UC application, Cisco always auto-populates parent domain while generating CSRs. Can anyone please help me to understand the exact benefit of having this parent domain? What are the use cases? What if we remove parent domain and keep only server SAN while generating CSRs?

Roger Kallberg · ‎08-13-2021

Whatever that is automatically added should stay. It’s as simple as that. The things I would recommend to remove is for IMP if there would be other domains than yours that shows up. This can be the case based on directory synchronisation with users that have a non corporate email address.

Not from the top of my head I can’t come up with a use for this in combination with CCX.

View solution in original post

Roger Kallberg · ‎08-13-2021

For example it is used for Jabber clients to not through the warning for certificates at login/connection. Let me turn the question back to you, for what reason do you want to remove it?

osmannayeem · ‎08-13-2021

good point, thank you! I forgot about certificate warning during Jabber login. So I was updating tomcat cert of our ccx servers. Parent domain always auto-populated by CSR generation prompt, I never give it a thought about the specific purpose. But this time our security team want to know the reason behind adding a parent domain before approving my cert signing request with external CA.

Can you think of any particular usage of it in CCX?

Roger Kallberg · ‎08-13-2021

Whatever that is automatically added should stay. It’s as simple as that. The things I would recommend to remove is for IMP if there would be other domains than yours that shows up. This can be the case based on directory synchronisation with users that have a non corporate email address.

Not from the top of my head I can’t come up with a use for this in combination with CCX.

Adam Pawlowski · ‎08-13-2021

Maybe it's still XMPP/BOSH for desktop chat and agent presence?

shleets · ‎01-19-2023

Hello Roger, I'm now being questioned after 8 years of our Multi SAN certs of why we need parent domain. The concern is since it's in the CSR and it's a SAN in the certificate, and that is a security concern to the entire domain I'm told. What is the significance to the parent domain in the CSR and certificate. Are there services reliant on this? If it's not added will things break in the environment or what should out expectation be? Any guidance will help drive a discussion with our security team.

Roger Kallberg · ‎01-19-2023

Not sure if I understand the security concerns with this. Can you please elaborate on this?

Nithin Eluvathingal · ‎08-13-2021

AFAIK Some deployments rely on SANs to implement TLS connections to other Cisco or third-party infrastructure

Why do you want the certificates to be signed by a public CA ? Those certs can be signed by your internal CA.

Parent Domain Field is not a mandatory filed while generating CSR. Below mentioned will be the CSR output When choosing blank and with parent domain.

When it comes to Public CA, the cost will be based on the SAN filed entries.

Based on below Guide, IF you have an issue with CSR and uploaded Certificate, its recommended to go with Blank parent CA.

https://www.cisco.com/c/en/us/support/docs/customer-collaboration/unified-contact-center-express/118855-configure-uccx-00.html