Register Cisco 7821 Phone to CUCM through MRA (Expressway)

Remon Adel · ‎08-29-2018

Dears
We plane to register Cisco Phone 7821 through MRA (Expressway Solution) ,

As Cisco doc , we have to signed expressway edge with one of public certs which trusted by this phone.

Our Workaround was to create CA roots certs using Open ssl with same attributes of one of Public certs that phone trusted , then generate CSR request of expressway core and edge to be signed by this new certs.
But Phone 7821 failed to register with same error message "Invalid Certificate " but jabber works fine.

Now we plan to sign expressway edge and core with one of Public Certificate seller so what is info ,we have to provide Public Certificate Issuer with it to get correct certificate .

I think we have to provide them
1- CSR requests from EXP Edge and Core
2- need to sigh this certs by SERVER-Client Template
3- provide them Public Certificate doc which 7842 phone trusted and use one of them

These info enough or not ??

Also now expressway solution in production for Jabber remote use , we need to know that if we generate CSR request from expressway edge and core , will this has effect on UC traversal zone between EXP edge and core ??

Thanks

Jaime Valencia · ‎08-29-2018

Have you read the MRA and certificate creation guide for that info?

You only really need to have EXP-E with a public CA, it need client and server authentication.

Your "workaround" was most likely illegal, as you were trying to impersonate a public CA. I suggest you watch my video on understanding certificates as it seems you're familiar with them, and why your workaround was never meant to work

https://youtu.be/_5x8pvhrJOI

Whether you need to adjust your config or not, will depend on the certificates CN/SAN and if they change.

HTH

java

if this helps, please rate

Remon Adel · ‎08-29-2018

Hello Jaime , First Many thanks for your support and this great video , Below points about what i got from this video and some points need more clarify 1- First we have to sign EXP-C and EXP-E with private certificate and uploaded Private Root CA to their trust (Which has been done already and solution works fine except for Cisco 7821 ). 2- Then we have to get EXP-E signed with Public CA , so we will regenerate CSR and ask public CA to sign certificate . (( from your video , you said that during this step New Private key will be generated and server will use it so we have to upload new certificate )) my question here is Before uploading new signed certificate , MRA solution will still working or not ?? 3-Then Upload Public Root CA to EXP-C and EXP-E , also upload new signed certificate to EXP-E Last question , which Public CA do you recommend for this situation and how can we verify that its CA trusted by Cisco Phone 7821?? Thanks

Jaime Valencia · ‎08-29-2018

I cover if generating a CSR breaks anything in the video and up until what point services are affected.

As to the CA for MRA phones

http://docwiki.cisco.com/wiki/TelePresence_FAQ#Are_there_certificate_requirements_if_I_use_IP_Phones_over_MRA.3F.3F

HTH

java

if this helps, please rate

Remon Adel · ‎08-29-2018

Hello Jaime I can't get what you mean with this "I cover if generating a CSR breaks anything in the video and up until what point services are affected"

j.huizinga · ‎08-30-2018

In general, you can sign the expressway-C with your own CA, but the Expressway-E has to be signed by an official CA (godaddy etc)

Normally what I do is to sign Expressway-C and E with customers, or my own CA and do all the testing. When all works fine, I make an CSR for the expressway-E and let it official sign.

From that moment on, also Cisco IP phones can register over MRA.

You need an UCC/SAN SSL certificate