08-29-2018 05:28 AM - edited 03-18-2019 12:30 PM
Dears
We plane to register Cisco Phone 7821 through MRA (Expressway Solution) ,
As Cisco doc , we have to signed expressway edge with one of public certs which trusted by this phone.
Our Workaround was to create CA roots certs using Open ssl with same attributes of one of Public certs that phone trusted , then generate CSR request of expressway core and edge to be signed by this new certs.
But Phone 7821 failed to register with same error message "Invalid Certificate " but jabber works fine.
Now we plan to sign expressway edge and core with one of Public Certificate seller so what is info ,we have to provide Public Certificate Issuer with it to get correct certificate .
I think we have to provide them
1- CSR requests from EXP Edge and Core
2- need to sigh this certs by SERVER-Client Template
3- provide them Public Certificate doc which 7842 phone trusted and use one of them
These info enough or not ??
Also now expressway solution in production for Jabber remote use , we need to know that if we generate CSR request from expressway edge and core , will this has effect on UC traversal zone between EXP edge and core ??
Thanks
08-29-2018 07:34 AM
Have you read the MRA and certificate creation guide for that info?
You only really need to have EXP-E with a public CA, it need client and server authentication.
Your "workaround" was most likely illegal, as you were trying to impersonate a public CA. I suggest you watch my video on understanding certificates as it seems you're familiar with them, and why your workaround was never meant to work
Whether you need to adjust your config or not, will depend on the certificates CN/SAN and if they change.
08-29-2018 02:13 PM
08-29-2018 02:20 PM
I cover if generating a CSR breaks anything in the video and up until what point services are affected.
As to the CA for MRA phones
08-29-2018 02:41 PM - edited 08-29-2018 02:43 PM
08-30-2018 12:14 AM
In general, you can sign the expressway-C with your own CA, but the Expressway-E has to be signed by an official CA (godaddy etc)
Normally what I do is to sign Expressway-C and E with customers, or my own CA and do all the testing. When all works fine, I make an CSR for the expressway-E and let it official sign.
From that moment on, also Cisco IP phones can register over MRA.
You need an UCC/SAN SSL certificate
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide