02-27-2017 09:44 AM - edited 03-17-2019 09:39 AM
Hello all,
I have deployed Expressway C-E (8.9) with CUCM 11.5. and I'm trying to register one 8841 from Internet using MRA feature and when I try to do the login process in the ip phone, appear:
"Error: Server certificate validation failed. Contact your administrator" and in the Status messages "Invalid server certificate: expe.domain.com"
Trying to find info about this problem I found
"For Mobile and Remote Access through Expressway, the Expressway server must be signed against one of these Certificate Authorities"
in this doc:
http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/dx/series/ca/CA-Trust-List.docx
I suppose the error appear because our Internal CA is not trusted.
Any way to register a 8800/7800 Phone through MRA feature without a signed certs by this Authorities? Usually we manage Internal CAs.
Thank so much!
Solved! Go to Solution.
02-27-2017 10:00 AM
No, if you want to use IP phones over MRA, it's MANDATORY to use a public CA from the ones listed.
02-27-2017 10:00 AM
No, if you want to use IP phones over MRA, it's MANDATORY to use a public CA from the ones listed.
02-28-2017 12:04 AM
Chris, Jaime...Thanks so much for clarify my doubt !!
03-24-2017 01:39 PM
So I have public CA certs from DigiCert for my Exp-E, which looks to be on the approved CA list, but I'm still getting the "Server certificate validation failed". I have MRA working fine with all my Jabber clients. Trying to get an 8845 to register via MRA. Any idea's?
03-24-2017 02:48 PM
Have you compared the fingerprint of your cert against the one listed here?
http://www.cisco.com/c/en/us/support/collaboration-endpoints/unified-ip-phone-8800-series/products-technical-reference-list.html
07-20-2017 08:51 AM
We have the same issue, and the certificate sha1 signature matches, however the phones do not have the sha 256 signature in their trusted list. Anyone have thoughts on how to resolve this issue?
07-20-2017 12:44 PM
Update on my issue: fixed
TAC was able to pinpoint that it was a device that sits between the VCS-E and the Internet, interjecting our wildcard certificate instead of the correct VCS-E. In a browser he connected to the external VCS-E A record ex. "https://expresswaye.yourdomain.com:8443" and saw the incorrect Cert being presented, as well as Packet Captures confirming this.
Once we removed it worked fine. Not sure why Jabber worked and not the 8845 phone, not for me to figure out!
09-07-2018 10:50 AM
Hey Jamie et. al.
Is it still the case that IP Phones won't register over MRA if the systems are using self-signed certs?
09-07-2018 10:57 AM
02-21-2019 12:55 PM
From the Mobile and Remote Access Through Cisco Expressway Deployment Guide X12.5
"You cannot modify the root CA trust list on IP Phone 7800/8800 devices. Make sure that the Expressway-E's server certificate is signed by one of the CAs that the devices trust, and that the CA is trusted by the Expressway-C and the Expressway-E. "
Does anyone know if this list of Trusted CAs (dated 2015, Firmware 11.0) has been updated and where it can be found? With the Availability of X12.5 and ACME/Let's Encrypt for MRA this is desperately needed.
Thanks
/David
07-31-2019 11:32 PM
Hi @d.haeni,
were you able to answer this question or do you even tried it?
Because I have the same question now and cannot find some helpful or updated info.
thanks,
markus
08-05-2019 01:17 AM
Sorry @MSchwarzmann, neither was I able to get an an answer to my question nor did I test MRA with LetsEncrypt with these phones.
I'm still interested if you have new findings, though.
Thx
/David
09-24-2019 08:17 AM
Same here, the document is 4 years old. Is there an updated list?
12-12-2018 12:57 AM
Do I need on both servers expressway-E and expressway-C a certificate from a public CA or only on expressway-E?
Thanks
Michael
12-12-2018 05:03 AM
Only Expressway-E.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide