cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6115
Views
10
Helpful
16
Replies

Issue with MRA Cisco IP Phones 7800/8800

Hello all,

I have deployed Expressway C-E (8.9) with CUCM 11.5. and I'm trying to register one 8841 from Internet using MRA feature and when I try to do the login process in the ip phone, appear:

"Error: Server certificate validation failed. Contact your administrator" and in the Status messages "Invalid server certificate: expe.domain.com"

Trying to find info about this problem I found

"For Mobile and Remote Access through Expressway, the Expressway server must be signed against one of these Certificate Authorities"

in this doc:

http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/dx/series/ca/CA-Trust-List.docx

I suppose the error appear because our Internal CA is not trusted.

Any way to register a 8800/7800 Phone through MRA feature without a signed certs by this Authorities? Usually we manage Internal CAs.

Thank so much!

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Hall of Fame Cisco Employee

No, if you want to use IP

No, if you want to use IP phones over MRA, it's MANDATORY to use a public CA from the ones listed.

HTH

java

if this helps, please rate
16 REPLIES 16
Highlighted
Hall of Fame Cisco Employee

No, if you want to use IP

No, if you want to use IP phones over MRA, it's MANDATORY to use a public CA from the ones listed.

HTH

java

if this helps, please rate

Chris, Jaime...Thanks so much

Chris, Jaime...Thanks so much for clarify my doubt !!

Beginner

So I have public CA certs

So I have public CA certs from DigiCert for my Exp-E, which looks to be on the approved CA list, but I'm still getting the "Server certificate validation failed".  I have MRA working fine with all my Jabber clients.  Trying to get an 8845 to register via MRA.  Any idea's?

Hall of Fame Cisco Employee

Have you compared the

Have you compared the fingerprint of your cert against the one listed here?

http://www.cisco.com/c/en/us/support/collaboration-endpoints/unified-ip-phone-8800-series/products-technical-reference-list.html

HTH

java

if this helps, please rate

We have the same issue, and

We have the same issue, and the certificate sha1 signature matches, however the phones do not have the sha 256 signature in their trusted list.  Anyone have thoughts on how to resolve this issue?

Beginner

Update on my issue: fixed

Update on my issue: fixed

TAC was able to pinpoint that it was a device that sits between the VCS-E and the Internet, interjecting our wildcard certificate instead of the correct VCS-E.  In a browser he connected to the external VCS-E A record ex. "https://expresswaye.yourdomain.com:8443" and saw the incorrect Cert being presented, as well as Packet Captures confirming this.

Once we removed it worked fine.  Not sure why Jabber worked and not the 8845 phone, not for me to figure out!

Contributor

Re: No, if you want to use IP

Hey Jamie et. al.

Is it still the case that IP Phones won't register over MRA if the systems are using self-signed certs?

Cisco Employee

Re: No, if you want to use IP

IP Phones have the fingerprint/root certs embedded in the firmware already. These cannot be uploaded to the phone manually. You need to ensure that the Expressway-E identity certificate is signed by one of these public CA's only.

Nipun Singh Raghav
"We cannot solve our problems with the same thinking we used when we created them"
Enthusiast

Has the list of Trusted CAs for 7800/8899 phones been updated in the meantime?

 

From the Mobile and Remote Access Through Cisco Expressway Deployment Guide X12.5

"You cannot modify the root CA trust list on IP Phone 7800/8800 devices. Make sure that the Expressway-E's server certificate is signed by one of the CAs that the devices trust, and that the CA is trusted by the Expressway-C and the Expressway-E. "

 

Does anyone know if this list of Trusted CAs (dated 2015, Firmware 11.0) has been updated and where it can be found? With the Availability of X12.5 and ACME/Let's Encrypt for MRA this is desperately needed.

 

Thanks

/David

Everyone's tags (6)
Beginner

Re: Has the list of Trusted CAs for 7800/8899 phones been updated in the meantime?

Hi @d.haeni,

 

were you able to answer this question or do you even tried it?
Because I have the same question now and cannot find some helpful or updated info.

 

thanks,

markus

Enthusiast

Re: Has the list of Trusted CAs for 7800/8800 phones been updated in the meantime?

Sorry @MSchwarzmann, neither was I able to get an an answer to my question nor did I test MRA with LetsEncrypt with these phones.
I'm still interested if you have new findings, though.

Thx

/David

Beginner

Re: No, if you want to use IP

Do I need on both servers expressway-E and expressway-C a certificate from a public CA or only on expressway-E?

Thanks

Michael

Rising star

Re: No, if you want to use IP

Only Expressway-E.

Hall of Fame Master

Jamie is correct, the cert on

Jamie is correct, the cert on the Expressway-E needs to be publicly signed, your Expressway-C and CUCM, IMP, CUC can run internally signed certs.

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards