cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
11414
Views
10
Helpful
17
Replies
Highlighted

Issue with MRA Cisco IP Phones 7800/8800

Hello all,

I have deployed Expressway C-E (8.9) with CUCM 11.5. and I'm trying to register one 8841 from Internet using MRA feature and when I try to do the login process in the ip phone, appear:

"Error: Server certificate validation failed. Contact your administrator" and in the Status messages "Invalid server certificate: expe.domain.com"

Trying to find info about this problem I found

"For Mobile and Remote Access through Expressway, the Expressway server must be signed against one of these Certificate Authorities"

in this doc:

http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/dx/series/ca/CA-Trust-List.docx

I suppose the error appear because our Internal CA is not trusted.

Any way to register a 8800/7800 Phone through MRA feature without a signed certs by this Authorities? Usually we manage Internal CAs.

Thank so much!

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Hall of Fame Cisco Employee

No, if you want to use IP phones over MRA, it's MANDATORY to use a public CA from the ones listed.

HTH

java

if this helps, please rate

View solution in original post

17 REPLIES 17
Highlighted
Hall of Fame Cisco Employee

No, if you want to use IP phones over MRA, it's MANDATORY to use a public CA from the ones listed.

HTH

java

if this helps, please rate

View solution in original post

Highlighted

Chris, Jaime...Thanks so much for clarify my doubt !!

Highlighted

So I have public CA certs from DigiCert for my Exp-E, which looks to be on the approved CA list, but I'm still getting the "Server certificate validation failed".  I have MRA working fine with all my Jabber clients.  Trying to get an 8845 to register via MRA.  Any idea's?

Highlighted
Hall of Fame Cisco Employee

Have you compared the fingerprint of your cert against the one listed here?

http://www.cisco.com/c/en/us/support/collaboration-endpoints/unified-ip-phone-8800-series/products-technical-reference-list.html

HTH

java

if this helps, please rate
Highlighted

We have the same issue, and the certificate sha1 signature matches, however the phones do not have the sha 256 signature in their trusted list.  Anyone have thoughts on how to resolve this issue?

Highlighted

Update on my issue: fixed

TAC was able to pinpoint that it was a device that sits between the VCS-E and the Internet, interjecting our wildcard certificate instead of the correct VCS-E.  In a browser he connected to the external VCS-E A record ex. "https://expresswaye.yourdomain.com:8443" and saw the incorrect Cert being presented, as well as Packet Captures confirming this.

Once we removed it worked fine.  Not sure why Jabber worked and not the 8845 phone, not for me to figure out!

Highlighted

Hey Jamie et. al.

Is it still the case that IP Phones won't register over MRA if the systems are using self-signed certs?

Highlighted

IP Phones have the fingerprint/root certs embedded in the firmware already. These cannot be uploaded to the phone manually. You need to ensure that the Expressway-E identity certificate is signed by one of these public CA's only.

Nipun Singh Raghav
"We cannot solve our problems with the same thinking we used when we created them"
Highlighted

 

From the Mobile and Remote Access Through Cisco Expressway Deployment Guide X12.5

"You cannot modify the root CA trust list on IP Phone 7800/8800 devices. Make sure that the Expressway-E's server certificate is signed by one of the CAs that the devices trust, and that the CA is trusted by the Expressway-C and the Expressway-E. "

 

Does anyone know if this list of Trusted CAs (dated 2015, Firmware 11.0) has been updated and where it can be found? With the Availability of X12.5 and ACME/Let's Encrypt for MRA this is desperately needed.

 

Thanks

/David

Highlighted

Hi @d.haeni,

 

were you able to answer this question or do you even tried it?
Because I have the same question now and cannot find some helpful or updated info.

 

thanks,

markus

Highlighted

Sorry @MSchwarzmann, neither was I able to get an an answer to my question nor did I test MRA with LetsEncrypt with these phones.
I'm still interested if you have new findings, though.

Thx

/David

Highlighted

Same here, the document is 4 years old. Is there an updated list?

Highlighted

Do I need on both servers expressway-E and expressway-C a certificate from a public CA or only on expressway-E?

Thanks

Michael

Highlighted

Only Expressway-E.