05-14-2015 02:49 AM - edited 03-13-2019 08:58 PM
Hello,
We use Cisco Expressway solution for RMA. Cisco Expressway X8.5.1
For example:
FQDN of Cisco Expressway E - expressway-e.domain.com
FQDN of Cisco Expressway C - expressway-c.domain.com
I have implemented certificate with cn=*.domain.com and server accepted it, but traversal zone between Expressway E and Expressway C doesn't work.
I found in logs:
tvcs: Event="External Server Communications Failure" Reason="DNS resolution failed" Service="NeighbourGatekeeper" Detail="name:*.domain.com" Level="1" UTCTime="2015-05-03 09:08:42,541"
Expressway C tries to connect to Expressway E and then check CN from certificate, which should be same as FQDN of Expressway E.
Cisco Expressway C cannot match CN with special symbols * to FQDN.
Does Expressway support certificate with special symbols in CN?
Alex,
Solved! Go to Solution.
05-14-2015 09:10 AM
Wildcard certificates aren't supported. See the "Overview of certificate use on the Expressway" section of the Expressway Certificate Creation and Use Deployment Guide starting on the bottom of pg 3.
Wildcard certificates manage multiple subdomains and the services names they support, they can be less secure than SAN (Subject Alternate Name) certificates. Expressway does not support wildcard certificates.
05-14-2015 09:10 AM
Wildcard certificates aren't supported. See the "Overview of certificate use on the Expressway" section of the Expressway Certificate Creation and Use Deployment Guide starting on the bottom of pg 3.
Wildcard certificates manage multiple subdomains and the services names they support, they can be less secure than SAN (Subject Alternate Name) certificates. Expressway does not support wildcard certificates.
05-25-2015 08:04 AM
Hello Patrick,
Thank you for your reply.
I have generated a certificate with parameters:
Subject Common Name = FQDN of cluster name
Subject Alternate Names = FQDN of the first node, FQDN of the secondary node, FQDN of cluster name, FQDN of the domain
I have implemented the same certificate on each nodes and looks like everything works good, but I have doubts for this configuration:
I found that if we use clustering system we should generate certificate for each peer.
How do you think why we cannot use the same certificate on each nodes?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide