Cisco MRA and Expressway CA sign certificate

networks7 · ‎10-20-2017

Hello,

We have cisco CUCM, we have deployed jabber at our premises and it is working fine. the problem is that now that certifcate which deployed on Expressway E is now expire and i have other requirement too such as MRA i wanted to deploy one cisco 8845 IP phone at remote location and i wanted to register that on my CUCM.

The requirement for that is Expressway E certificate and CA root certificate, correct if i am wrong. That needs to be signed from internet authority (publicly signed). i want both services to be run jabber as well as MRA, can u guys please tell me which type do i need to be signed from CA. for example

single signed certificate

extended certificate

wildcard certificate

etc.

Slavik Bialik · ‎10-21-2017

Hi,

So just to cover this, yes, you HAVE to sign the Expressway-E in a trusted public certificate authority, otherwise the phone will never register via MRA.

Another thing you must know, is that the phones are having built-in public Root CA certificates, so if you'll sign your certificate with a certificate authority which isn't included in root certificate list the phone contains, the phone also will not register via MRA.

So... attaching you the CA Trust list document that includes all the CA's. Just verify with this list that your CA is included there, if so, it's safe to sign the certificate.

By the way, regarding the type of the certificate. Expressway-E does not support wildcard certificates, it should be a single certificate for a specific common name (of the EXPR-E), BUT this certificate MUST include SAN support (Subject Alternate Name), because when you create the CSR you'll see it adds the main domain of the server to the SAN (I still don't understand why they're doing it, but it is not possible to remove it), which means the certificate is more expensive compared to a certificate without SAN.

Hope it helped ;)

networks7 · ‎10-21-2017

Hi Slavik
Thanks for your reply, we doing this because the other location only has internet access where we will deploy the Cisco 8845 IP phone and we were strictly told that VPN configuration for this is not allowed. due to that, we come with MRA solution.
moreover, I wanted to know is that phone already consists CA/root certificate and if yes then I do not to generate CA certificate for the phone. I need some assistance from your end as this is my first implementation with Cisco CUCM.

Thanks in advance.

Slavik Bialik · ‎10-21-2017

I'm not sure that I understand what help do you need? If your MRA is working fine as you stated, so after you'll sign your certificate in a public certificate authority, it'll work right away.
But, you just need to know how to configure it... it is exactly like you're configuring a softphone, you must assign this new device in the controlled devices field in the end users page of the specific user. After the phone will be up, and as it doesn't have any OPTIONS 150 (and it shouldn't have), it'll prompt you to enter a service domain, username and password. There you'll just need to put the domain of your edge, and the organizational credentials of the user, exactly like you're logging in to Cisco Jabber.

networks7 · ‎11-10-2017

Thanks, It works for me.