02-12-2015 03:50 AM - edited 03-17-2019 01:56 AM
Hi
I am in the middle of deploying Expressway C and Expressway E for a customer and have just hit the certificates minefield. My background is UC and have little to no security experience.
I have a Windows 2008 server acting as a DNS server at the minute. Is it possible to set this up as a CA server and generate the certs required for expressway from there? This server does not have access to the internet. Do I need to register with a public CA or can the windows 2008 server meet all my certificate needs.
Another question would be, how do the smartphones with the jabber app get their certificates?
Thanks,
Derek
02-12-2015 05:14 AM
You really want to get your VCS certificates signed by a trusted/external CA, rather than self-sign them.
Jabber certainly doesn't like self-signed certificates.
GTG
02-12-2015 07:14 AM
Well, you actually can, I have it in my lab and it´s all signed in my internal CA, but the overhead for a real life scenario would be much greater than just having a public CA sign them all.
But it does work
02-12-2015 08:29 AM
I thought the IOS & Android apps refused to work if the certificates weren't signed by CAs in the devices global CA list?
GTG
02-12-2015 02:40 PM
GTG,
They will work as long as the root cert of the CA is in their trust list.
02-12-2015 08:15 AM
Like Jamie(+5) has said you can use internal CA, the challenge is installing the root CA cert in your clients. Its almost un manageable to have to install root CA certs in every client that is installed. In my lab I have used an internal CA as Jamie also mentioned, so that can work but its not feasible in a production environment
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: