Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
655
Views
25
Helpful
5
Replies

Certificates for Expressway C and Expressway E

Derek McCormick
Level 1
Level 1

‎02-12-2015 03:50 AM - edited ‎03-17-2019 01:56 AM

Hi

 

I am in the middle of deploying Expressway C and Expressway E for a customer and have just hit the certificates minefield. My background is UC and have little to no security experience.

I have a Windows 2008 server acting as a DNS server at the minute. Is it possible to set this up as a CA server and generate the certs required  for expressway from there? This server does not have access to the internet. Do I need to register with a public CA or can the windows 2008 server meet all my certificate needs.

 

Another question would be, how do the smartphones with the jabber app get their certificates?

 

Thanks,
Derek

 

Labels:
0 Helpful
5 Replies 5

Gordon Ross
Level 9
Level 9

‎02-12-2015 05:14 AM

You really want to get your VCS certificates signed by a trusted/external CA, rather than self-sign them.

 

Jabber certainly doesn't like self-signed certificates.

 

GTG

Please rate all helpful posts.
0 Helpful

Jaime Valencia
Cisco Employee
Cisco Employee
In response to Gordon Ross

‎02-12-2015 07:14 AM

Well, you actually can, I have it in my lab and it´s all signed in my internal CA, but the overhead for a real life scenario would be much greater than just having a public CA sign them all.

But it does work

HTH

java

if this helps, please rate

Gordon Ross
Level 9
Level 9
In response to Jaime Valencia

‎02-12-2015 08:29 AM

I thought the IOS & Android apps refused to work if the certificates weren't signed by CAs in the devices global CA list?

 

GTG

Please rate all helpful posts.
0 Helpful

Ayodeji Okanlawon
VIP Alumni
VIP Alumni
In response to Gordon Ross

‎02-12-2015 02:40 PM

GTG,

They will work as long as the root cert of the CA is in their trust list.

Please rate all useful posts
0 Helpful

Ayodeji Okanlawon
VIP Alumni
VIP Alumni

‎02-12-2015 08:15 AM

Like Jamie(+5) has said you can use internal CA, the challenge is installing the root CA cert in your clients. Its almost un manageable to have to install root CA certs in every client that is installed. In my lab I have used an internal CA as Jamie also mentioned, so that can work but its not feasible in a production environment

Please rate all useful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents