cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1046
Views
0
Helpful
5
Replies
Participant

Expressway E certificate for DX Series endpoints over MRA.

Guys we all know for TLS based traversal zone between Expressway C & E requires (client Server based authentication) certificate. 

what we all were doing is to create a new template with Client authentication and sign Expressway C & E certificates locally.

 

But recently Cisco supported DX series over MRA.  and it doesnt support Local signed certificates. it only supports Public CA.

My question is.

1. Do we have to now sign both Expressway C & E certificates from Public CA with digital Client authentication certificates. ? (they are all very costly) in order to have client authentication key in both Expressway C & E certificates. ?

2. If only Expressway E certificate is to be signed .. then how TLS Traversal will work without Client Authentication. Because Expressway C is signed from Local CA with client authentication and Expressway E is signed by Public CA.

2. Which certificate template or Package of Public CA i should choose for signing, so LS Traversal between Expressway C &E should work as well as DX series endpoints over MRA.

 

3. Which template i choose from comodo 

a. Comodo Positive SSL UCC/SAN

b. Comodo UCC/SAN (DV)

c. Comodo UCC/SAN (OV)

 

Kindly Assist.

5 REPLIES 5
Highlighted
Hall of Fame Cisco Employee

1 NO, even before that, the

1 NO, even before that, the only one we recommended to be public CA signed was the EXP-E, that has not changed.

2 Load the required root certs on both boxes.

HTH

java

if this helps, please rate
Highlighted
Participant

can you please answer all

can you please answer all those parts ?? how will Expressway C being signed by internal CA. Makes TLS connection with Expressway E signed by Public CA ?

 

 

Highlighted

If I am not mistaken, as

If I am not mistaken, as Jaime mentioned, loading the required root certificates on both expressway-C and Expressway-E will work. Another words both the internal CA root and External CA root certificates will be uploaded to both servers, this way when TLS/Certificates get exchanged the servers will trust them and communication would be established. This way only expressway-E needs external CA certificate, External CA Root Certificate, and Internal CA root certificate. Expressway-C requires Internal CA generated certificate, Internal CA root Certificate, and External CA root certificate.

 

Hope this helps to clarify things.

Highlighted
Participant

Thanks Kristpher,I confirm

Thanks Kristpher,

I confirm that Comodo UCC/SAN (DV) from GogetSSL works fine for MRA of DX Series Video Endpoints. as well as XMPP Federation with other companies.

and its really cheap. only 108$/Year for 4 SANs.

VCS-E FQDN

Domain Name

2x Chat Aliases  (optional)

 

Highly recommending Usertrust SSL for Lab Testing for cheap and compatible certificates rather than costly certificates from Symantec & Godaddy.

 

Highlighted
Beginner

Hi Ammar

Hi Ammar

could you please share with me on how to apply public CA from Comodo and how to install CA trust list and server license on Expe?

Thanks

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here