Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1474
Views
0
Helpful
5
Replies

Expressway E certificate for DX Series endpoints over MRA.

Ammar Saood
Spotlight
Spotlight

‎06-29-2015 01:18 PM - edited ‎03-13-2019 09:03 PM

Guys we all know for TLS based traversal zone between Expressway C & E requires (client Server based authentication) certificate. 

what we all were doing is to create a new template with Client authentication and sign Expressway C & E certificates locally.

 

But recently Cisco supported DX series over MRA.  and it doesnt support Local signed certificates. it only supports Public CA.

My question is.

1. Do we have to now sign both Expressway C & E certificates from Public CA with digital Client authentication certificates. ? (they are all very costly) in order to have client authentication key in both Expressway C & E certificates. ?

2. If only Expressway E certificate is to be signed .. then how TLS Traversal will work without Client Authentication. Because Expressway C is signed from Local CA with client authentication and Expressway E is signed by Public CA.

2. Which certificate template or Package of Public CA i should choose for signing, so LS Traversal between Expressway C &E should work as well as DX series endpoints over MRA.

 

3. Which template i choose from comodo 

a. Comodo Positive SSL UCC/SAN

b. Comodo UCC/SAN (DV)

c. Comodo UCC/SAN (OV)

 

Kindly Assist.

Labels:
0 Helpful
5 Replies 5

Jaime Valencia
Cisco Employee
Cisco Employee

‎06-29-2015 02:41 PM

1 NO, even before that, the only one we recommended to be public CA signed was the EXP-E, that has not changed.

2 Load the required root certs on both boxes.

HTH

java

if this helps, please rate
0 Helpful

Ammar Saood
Spotlight
Spotlight
In response to Jaime Valencia

‎06-29-2015 03:35 PM

can you please answer all those parts ?? how will Expressway C being signed by internal CA. Makes TLS connection with Expressway E signed by Public CA ?

 

 

0 Helpful

Kristopher Shirley
Level 1
Level 1
In response to Ammar Saood

‎07-21-2015 01:44 PM

If I am not mistaken, as Jaime mentioned, loading the required root certificates on both expressway-C and Expressway-E will work. Another words both the internal CA root and External CA root certificates will be uploaded to both servers, this way when TLS/Certificates get exchanged the servers will trust them and communication would be established. This way only expressway-E needs external CA certificate, External CA Root Certificate, and Internal CA root certificate. Expressway-C requires Internal CA generated certificate, Internal CA root Certificate, and External CA root certificate.

 

Hope this helps to clarify things.

0 Helpful

Ammar Saood
Spotlight
Spotlight
In response to Kristopher Shirley

‎07-22-2015 12:10 AM

Thanks Kristpher,

I confirm that Comodo UCC/SAN (DV) from GogetSSL works fine for MRA of DX Series Video Endpoints. as well as XMPP Federation with other companies.

and its really cheap. only 108$/Year for 4 SANs.

VCS-E FQDN

Domain Name

2x Chat Aliases  (optional)

 

Highly recommending Usertrust SSL for Lab Testing for cheap and compatible certificates rather than costly certificates from Symantec & Godaddy.

 

0 Helpful

qi wang
Level 1
Level 1
In response to Ammar Saood

‎03-31-2016 01:26 AM

Hi Ammar

could you please share with me on how to apply public CA from Comodo and how to install CA trust list and server license on Expe?

Thanks

0 Helpful
Customers Also Viewed These Support Documents