05-03-2017 11:19 AM - edited 03-15-2019 05:38 AM
I currently have a wild card certificate through Godaddy that was generated on my Cisco ASA 5516. If I export this certifcate private key out of the ASA into PEM format can I use this on the Expressway server? Each time I try to upload the private key is states "File upload failed. Please try again."
05-03-2017 11:44 AM
Figured it out. You have to select both the private key and server certificate to upload. I also had to remove the passphrase from the PEM file.
05-03-2017 12:46 PM
FYI
Wildcard certificates manage multiple subdomains and the services names they support, they can be less secure than SAN (Subject Alternate Name) certificates. VCS does not support wildcard certificates.
http://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/vcs/config_guide/X8-9/Cisco-VCS-Certificate-Creation-and-Use-Deployment-Guide-X8-9.pdf
05-03-2017 12:52 PM
Ok ,thanks Jaime. It did accept the certificates and gives me a secure connection from the web admin page now. I can create a new SAN cert for expressway, I just thought since I had the wildcard then I could use it here.
So the wildcard is not supported for both VCS and Expressway? I do understand that this is the same product code between both VCS and Expressway. I am just using it for MRA.
05-03-2017 02:36 PM
Yes, there is no separate doc, that doc covers VCS and expressway.
You probably don't want to use the same certificate, depending on what you will be using, that might be a very big certificate with many SAN entries that won't really make sense to have in both certificates, for example, the phone security profiles that only need to be in EXP-C, and the public CA would charge you for those, when you can get away with an internal CA certificate for EXP-C.
Really, the only server you want to have signed by a public CA for MRA, is the EXP-E, everything else, can be signed with a private CA.
09-18-2019 01:21 PM
I can now safely answer both these questions now form experience
1. Wildcard Certs
Yes, you can install a wildcard cert with its private key on the exp-E. But you will not be able to get the TLS session established between the Exp-C and Exp-E. When testing the cert from the Exp-C you will get the following result back:
The Expressway-E name 'expe-01.mycomp.co.za' did not match any CN or SAN attributes in its certificate: '*.mycomp.co.za, mycomp.co.za'
The Exp-C needs an exact match!
2. Same Public cert on both Exp-E clustered servers
I dont know if it is supported, but it does work.
You need to upload both the private key and the server cert of the first cluster to the second cluster.
You will also need to include both Exp-E servers' FQDN names in the Public cert you are getting signed by your CA
09-18-2019 01:23 PM
05-03-2017 01:08 PM
Is it supported to use the same SAN cert for both the internal and external expressways? This will be for the traversal zone.
11-17-2022 10:46 AM
AFAIK you can not use the same certificate on the C and E. How would that work as these are two different entities in all essentials?
11-17-2022 08:18 AM
Hey Jaime,
Do you mean Expressway E does not support wildcard certificate? It will be helpful if you can confirm
Frank
11-17-2022 10:43 AM
Yes that what Jamie meant and what Pieter also confirmed with his tests.
12-23-2022 06:10 AM
Is this still not supported in version 14.2
what a pain if not. Im searching for documentation to tell me. Its not as definite as 12.5 version documentation
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide