Yes, there is no separate doc

Phil Bradley · ‎05-03-2017

I currently have a wild card certificate through Godaddy that was generated on my Cisco ASA 5516. If I export this certifcate private key out of the ASA into PEM format can I use this on the Expressway server? Each time I try to upload the private key is states "File upload failed. Please try again."

Phil Bradley · ‎05-03-2017

Figured it out. You have to select both the private key and server certificate to upload. I also had to remove the passphrase from the PEM file.

Jaime Valencia · ‎05-03-2017

FYI

Wildcard certificates manage multiple subdomains and the services names they support, they can be less secure than SAN (Subject Alternate Name) certificates. VCS does not support wildcard certificates.

http://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/vcs/config_guide/X8-9/Cisco-VCS-Certificate-Creation-and-Use-Deployment-Guide-X8-9.pdf

HTH

java

if this helps, please rate

Phil Bradley · ‎05-03-2017

Ok ,thanks Jaime. It did accept the certificates and gives me a secure connection from the web admin page now. I can create a new SAN cert for expressway, I just thought since I had the wildcard then I could use it here.

So the wildcard is not supported for both VCS and Expressway? I do understand that this is the same product code between both VCS and Expressway. I am just using it for MRA.

Jaime Valencia · ‎05-03-2017

Yes, there is no separate doc, that doc covers VCS and expressway.

You probably don't want to use the same certificate, depending on what you will be using, that might be a very big certificate with many SAN entries that won't really make sense to have in both certificates, for example, the phone security profiles that only need to be in EXP-C, and the public CA would charge you for those, when you can get away with an internal CA certificate for EXP-C.

Really, the only server you want to have signed by a public CA for MRA, is the EXP-E, everything else, can be signed with a private CA.

HTH

java

if this helps, please rate

pieter.bos · ‎09-18-2019

I can now safely answer both these questions now form experience

1. Wildcard Certs

Yes, you can install a wildcard cert with its private key on the exp-E. But you will not be able to get the TLS session established between the Exp-C and Exp-E. When testing the cert from the Exp-C you will get the following result back:

The Expressway-E name 'expe-01.mycomp.co.za' did not match any CN or SAN attributes in its certificate: '*.mycomp.co.za, mycomp.co.za'

The Exp-C needs an exact match!

2. Same Public cert on both Exp-E clustered servers

I dont know if it is supported, but it does work.

You need to upload both the private key and the server cert of the first cluster to the second cluster.

You will also need to include both Exp-E servers' FQDN names in the Public cert you are getting signed by your CA

pieter.bos · ‎09-18-2019

The conclusion on the wildcard certs is the NO, you cannot use wildcard certs on the Exp-E

Phil Bradley · ‎05-03-2017

Is it supported to use the same SAN cert for both the internal and external expressways? This will be for the traversal zone.

Roger Kallberg · ‎11-17-2022

AFAIK you can not use the same certificate on the C and E. How would that work as these are two different entities in all essentials?

FrankSC · ‎11-17-2022

Hey Jaime,
Do you mean Expressway E does not support wildcard certificate? It will be helpful if you can confirm

Frank

Roger Kallberg · ‎11-17-2022

Yes that what Jamie meant and what Pieter also confirmed with his tests.

gctmike · ‎12-23-2022

Is this still not supported in version 14.2

what a pain if not. Im searching for documentation to tell me. Its not as definite as 12.5 version documentation

Expressway E Certificate