cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2197
Views
25
Helpful
7
Replies

Significance of adding parent domain as a SAN in UC Certificates

osmannayeem
Level 1
Level 1

For all UC application, Cisco always auto-populates parent domain while generating CSRs. Can anyone please help me to understand the exact benefit of having this parent domain? What are the use cases? What if we remove parent domain and keep only server SAN while generating CSRs?

1 Accepted Solution

Accepted Solutions

Whatever that is automatically added should stay. It’s as simple as that. The things I would recommend to remove is for IMP if there would be other domains than yours that shows up. This can be the case based on directory synchronisation with users that have a non corporate email address.

Not from the top of my head I can’t come up with a use for this in combination with CCX.



Response Signature


View solution in original post

7 Replies 7

For example it is used for Jabber clients to not through the warning for certificates at login/connection. Let me turn the question back to you, for what reason do you want to remove it?



Response Signature


osmannayeem
Level 1
Level 1

good point, thank you! I forgot about certificate warning during Jabber login. So I was updating tomcat cert of our ccx servers. Parent domain always auto-populated by CSR generation prompt, I never give it a thought about the specific purpose. But this time our security team want to know the reason behind adding a parent domain before approving my cert signing request with external CA.

 

Can you think of any particular usage of it in CCX?

Whatever that is automatically added should stay. It’s as simple as that. The things I would recommend to remove is for IMP if there would be other domains than yours that shows up. This can be the case based on directory synchronisation with users that have a non corporate email address.

Not from the top of my head I can’t come up with a use for this in combination with CCX.



Response Signature


Maybe it's still XMPP/BOSH for desktop chat and agent presence?

Hello Roger, I'm now being questioned after 8 years of our Multi SAN certs of why we need parent domain.  The concern is since it's in the CSR and it's a SAN in the certificate, and that is a security concern to the entire domain I'm told.  What is the significance to the parent domain in the CSR and certificate.  Are there services reliant on this?  If it's not added will things break in the environment or what should out expectation be?  Any guidance will help drive a discussion with our security team.

Not sure if I understand the security concerns with this. Can you please elaborate on this?



Response Signature


AFAIK Some deployments rely on SANs to implement TLS connections to other Cisco or third-party infrastructure

 

Why do you want the certificates to be signed by a public CA ? Those certs can be signed by your internal CA. 

 

Parent Domain Field is not a  mandatory filed while generating  CSR. Below mentioned will be the CSR output When choosing blank and with parent domain. 

When it comes to Public CA, the cost will be based on the SAN filed entries. 

 

Screenshot 2021-08-13 at 6.11.04 PM.pngScreenshot 2021-08-13 at 6.12.14 PM.png

Based on below Guide, IF you have an issue with CSR and uploaded Certificate, its recommended to go with Blank  parent CA.

https://www.cisco.com/c/en/us/support/docs/customer-collaboration/unified-contact-center-express/118855-configure-uccx-00.html

Screenshot 2021-08-13 at 6.16.45 PM.png

 

 



Response Signature


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: