Guys we all know for TLS based traversal zone between Expressway C & E requires (client Server based authentication) certificate.
what we all were doing is to create a new template with Client authentication and sign Expressway C & E certificates locally.
But recently Cisco supported DX series over MRA. and it doesnt support Local signed certificates. it only supports Public CA.
My question is.
1. Do we have to now sign both Expressway C & E certificates from Public CA with digital Client authentication certificates. ? (they are all very costly) in order to have client authentication key in both Expressway C & E certificates. ?
2. If only Expressway E certificate is to be signed .. then how TLS Traversal will work without Client Authentication. Because Expressway C is signed from Local CA with client authentication and Expressway E is signed by Public CA.
2. Which certificate template or Package of Public CA i should choose for signing, so LS Traversal between Expressway C &E should work as well as DX series endpoints over MRA.
3. Which template i choose from comodo
1 NO, even before that, the only one we recommended to be public CA signed was the EXP-E, that has not changed.
2 Load the required root certs on both boxes.
can you please answer all those parts ?? how will Expressway C being signed by internal CA. Makes TLS connection with Expressway E signed by Public CA ?
If I am not mistaken, as Jaime mentioned, loading the required root certificates on both expressway-C and Expressway-E will work. Another words both the internal CA root and External CA root certificates will be uploaded to both servers, this way when TLS/Certificates get exchanged the servers will trust them and communication would be established. This way only expressway-E needs external CA certificate, External CA Root Certificate, and Internal CA root certificate. Expressway-C requires Internal CA generated certificate, Internal CA root Certificate, and External CA root certificate.
Hope this helps to clarify things.
I confirm that Comodo UCC/SAN (DV) from GogetSSL works fine for MRA of DX Series Video Endpoints. as well as XMPP Federation with other companies.
and its really cheap. only 108$/Year for 4 SANs.
2x Chat Aliases (optional)
Highly recommending Usertrust SSL for Lab Testing for cheap and compatible certificates rather than costly certificates from Symantec & Godaddy.