Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1700
Views
20
Helpful
5
Replies

UC Certs with validity longer than 1 year

Go to solution
rchaseling
Level 4
Level 4

‎05-28-2021 05:47 AM

Hi all,

 

Just wondering if anyone has deployed certs for CUCM Tomcat, Callmanager, IMP XMPP & Unity Tomcat that are signed by an Internal CA that have validity of longer than the new 396 days standard.

 

Have a customer who uses Jabber and has all the above signed with a 4 year validity and they are about to expire and they want to renew them for another 4 years but i believe all the latest browsers won't like that

 

I'm thinking that browsing to the Admin or CUCM User portal might give users a browser warning but would it actually affect Jabber logins or functioning ? They don't use SSO but do use MRA......

 

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jaime Valencia
Cisco Employee
Cisco Employee
In response to rchaseling

‎05-28-2021 06:47 AM

My lab certificates are valid for 15 years, I just installed new certs on a CUCM 14 a couple weeks ago with my internal CA and neither Chrome nor FF have any complaints, both running whatever is the latest version right now.

HTH

java

if this helps, please rate

View solution in original post

5 Replies 5

Go to solution
Nithin Eluvathingal
VIP
VIP

‎05-28-2021 06:26 AM

Your iPhones,android,laptops won’t trust the internal certs until You upload the root Ca to those devices. Which we normally don’t do. So you can expect the cert warning when connecting even its one year or three year.The  one year certificate validity requirement was introduced by apple so all public ca certs are for just one year. 



Response Signature


0 Helpful

Go to solution
rchaseling
Level 4
Level 4
In response to Nithin Eluvathingal

‎05-28-2021 06:35 AM

Hi,

Yes the PKI trust chain for the internal CA is already pushed out to all devices and the existing certs have been fine for last 4 years. I just know that all the major browsers now have this requirement as of September last year .....but is it only for public CAs - I thought it would be for all CA's ?

 

Thanks

 

 

 

 

0 Helpful

Go to solution
Jaime Valencia
Cisco Employee
Cisco Employee
In response to rchaseling

‎05-28-2021 06:47 AM

My lab certificates are valid for 15 years, I just installed new certs on a CUCM 14 a couple weeks ago with my internal CA and neither Chrome nor FF have any complaints, both running whatever is the latest version right now.

HTH

java

if this helps, please rate

Go to solution
rchaseling
Level 4
Level 4
In response to Jaime Valencia

‎05-28-2021 06:48 AM

Thanks. That's what I needed to hear!

0 Helpful

Go to solution
Adam Pawlowski
VIP Alumni
VIP Alumni
In response to Jaime Valencia

‎05-28-2021 03:55 PM

Awesome Jaime - I wondered if the SSO browser pop would require the E cert to be compliant. In a full external IdP deployment, good to know we can use an internal CA.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents