Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2510
Views
25
Helpful
8
Replies

Urgent "Express Way CA certificate update to all cisco customers" ! ? Am I concerned ?

Go to solution
dsi bas
Level 1
Level 1

‎03-16-2021 08:35 AM

Hello CISCO ! 

 

We, as a Cisco customer (visio devices, and other things) received notification from CISCO Webex (16/03/2021) informing us, that "Customers using Expressway to dial into Webex meetings, or one of the connectors that leverages Expressway, must upload the new certificate to their Expressway devices before March 31, 2021."

 

Great, 
ok, and ? what is " Expressway" do I have to connect to my Visio Devices (Cisco Spark Room Kit)...

But with regards of the info we can found on "Expressway" I suppose that I'm not the only customers asking myself

 

March 2021 Cisco Webex Root CA Certificate Update

Dear Cisco Webex Customer,
Cisco Webex is sending this message to key contacts at https://**********.webex.com.
Starting in March 2021, Cisco Webex will be moving to a new Certificate Authority, IdenTrust Commercial Root CA 1. Customers using Expressway to dial into Webex meetings, or one of the connectors that leverages Expressway, must upload the new certificate to their Expressway devices before March 31, 2021. 
In general, this change will be transparent and require no action from customers.

You must take action if:
•	You are using Endpoints to connect to the Cisco Webex Video Platform through a Video Communication Server (VCS)-Expressway or Expressway Edge. You must add the new certificate into the Trusted Root Store of the VCS or Expressway.
•	You are using a Connector or Hybrid Service on a VCS-Control or Expressway Core and have not opted into Cloud Certificate Management. You must add the new certificate into the Trusted Root Store of the VCS.
•	You are using Cisco Webex Edge Audio through a VCS-Expressway, or Expressway Edge. You must add the certificate into the trusted root store of the VCS or Expressway.
•	You have restricted access to URLs for checking Certificate revocation lists, you must allow Webex clients to reach the Certificate Revocation List hosted at: http://validation.identrust.com/crl/hydrantidcao1.crl
o	We have also added *.identrust.com into the list of URLs that must be allowed for certificate verification.
•	You are not using the default Certificate Trust Stores for your operating systems. You must add the certificate into your trusted root store. This certificate is contained within the default trust store of all major operating systems by default.

Instruction on how to upload the new certificate onto a VCS-Control, VCS-Expressway, Expressway Core and Expressway Edge:
1.	Download the IdenTrust Commercial Root CA 1 here and save it as identrust_RootCA1.pem
2.	On all your Expressway devices, navigate to Maintenance > Security > Trusted CA Certificate
3.	Browse > Upload the identrust_RootCA1.pem > Append CA Certificate
4.	Verify the certificate successfully uploaded and is present in the VCS Expressway Trust Store
Thank you for your continued business,
Cisco Webex Global Communications Team

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nithin Eluvathingal
VIP
VIP

‎03-16-2021 09:52 PM

what is " Expressway" :-  expressway is an edge/internet facing device installed for Collaboration features(like MRA,B2B, etc...). Its a combination of E and C server.

 

First Question, do you have expressway in you infrastructure.

If the answer is yea And if you are using expressway for any of the features mentioned in your message, You have to upload the New Root CA certificate mentioned in the message.

 

If you  don't use expressway for any of the features mentioned, you can ignore it.

 

 

 

 



Response Signature


View solution in original post

8 Replies 8

Go to solution
Kathy N.
VIP
VIP

‎03-16-2021 09:26 AM

You can check if this applies to you by logging into your Expressway server and going to Applications>Hybrid Services>Connector Management.  The Expressway provides access into your network for phone services so you do need to update it if you meet any of the requirements in the notice.

 



Response Signature


0 Helpful

Go to solution
Roger Kallberg
VIP
VIP
In response to Kathy N.

‎03-16-2021 10:09 AM - edited ‎03-16-2021 11:21 PM

I think that this also applies to B2B calls where the Expressway is used to connect the video systems to Webex.

You must take action if:
•	You are using Endpoints to connect to the Cisco Webex Video Platform through a Video Communication Server (VCS)-Expressway or Expressway Edge. You must add the new certificate into the Trusted Root Store of the VCS or Expressway.

If this is using the cloud management of certificates it would be seen under Application > Cloud Certificate management, there should be no need to manually upload any certificate.
image.png



Response Signature


Go to solution
Nithin Eluvathingal
VIP
VIP

‎03-16-2021 09:52 PM

what is " Expressway" :-  expressway is an edge/internet facing device installed for Collaboration features(like MRA,B2B, etc...). Its a combination of E and C server.

 

First Question, do you have expressway in you infrastructure.

If the answer is yea And if you are using expressway for any of the features mentioned in your message, You have to upload the New Root CA certificate mentioned in the message.

 

If you  don't use expressway for any of the features mentioned, you can ignore it.

 

 

 

 



Response Signature


Go to solution
Roger Kallberg
VIP
VIP
In response to Nithin Eluvathingal

‎03-16-2021 11:25 PM

With the exception for if you’re using the cloud management of certificates as mentioned in my previous reply, as that should maintain the list of certificates automagically.



Response Signature


Go to solution
dsi bas
Level 1
Level 1
In response to Nithin Eluvathingal

‎03-17-2021 01:26 AM

I take your answer as the one for me, 
as I have "only" visio client devices(1) linked to Cisco cloud visio service attached to webex and no "express way servers"... 

 

(1) Cisco Spark Room Kit (Cisco Webex Room Series - Cisco), Cisco Teams client on computers.

 

 

 

Cisco communication shall be more clear, explaining that is concern only customers running Express Way servers and listing kind of servers models, because looking on Internet Cisco Express way could be whatever any kind of software / function of any cisco communication device.

 

Let's see on the 31/03 if our Visio System stop working... 

0 Helpful

Go to solution
Roger Kallberg
VIP
VIP
In response to dsi bas

‎03-17-2021 04:46 AM - edited ‎03-21-2021 11:01 PM

@dsi bas wrote:

I take your answer as the one for me, 
as I have "only" visio client devices(1) linked to Cisco cloud visio service attached to webex and no "express way servers"... 

 

Let's see on the 31/03 if our Visio System stop working... 

BTW What is a Visio client, service or system?



Response Signature


0 Helpful

Go to solution
Adam Pawlowski
VIP Alumni
VIP Alumni
In response to dsi bas

‎03-21-2021 03:45 PM

It is pretty clear it is referring to the Expressway, be it a hardware or virtualized device, pure Expressway or VCS Expressway. The functionality is the same, the notice is that if TLS verification is being enforced (and for hybrid services it probably must be) then a new root must be added to the trust store by the end of the month.

 

If you are cloud registered and only use CVI or native Webex with no hybrid services then this does not apply.

0 Helpful

Go to solution
dsi bas
Level 1
Level 1

‎03-17-2021 01:26 AM

And thank for all responders !

0 Helpful
Customers Also Viewed These Support Documents