I currently have a wild card certificate through Godaddy that was generated on my Cisco ASA 5516. If I export this certifcate private key out of the ASA into PEM format can I use this on the Expressway server? Each time I try to upload the private key is states "File upload failed. Please try again."
Wildcard certificates manage multiple subdomains and the services names they support, they can be less secure than SAN (Subject Alternate Name) certificates. VCS does not support wildcard certificates.
Ok ,thanks Jaime. It did accept the certificates and gives me a secure connection from the web admin page now. I can create a new SAN cert for expressway, I just thought since I had the wildcard then I could use it here.
So the wildcard is not supported for both VCS and Expressway? I do understand that this is the same product code between both VCS and Expressway. I am just using it for MRA.
Yes, there is no separate doc, that doc covers VCS and expressway.
You probably don't want to use the same certificate, depending on what you will be using, that might be a very big certificate with many SAN entries that won't really make sense to have in both certificates, for example, the phone security profiles that only need to be in EXP-C, and the public CA would charge you for those, when you can get away with an internal CA certificate for EXP-C.
Really, the only server you want to have signed by a public CA for MRA, is the EXP-E, everything else, can be signed with a private CA.
I can now safely answer both these questions now form experience
1. Wildcard Certs
Yes, you can install a wildcard cert with its private key on the exp-E. But you will not be able to get the TLS session established between the Exp-C and Exp-E. When testing the cert from the Exp-C you will get the following result back:
The Expressway-E name 'expe-01.mycomp.co.za' did not match any CN or SAN attributes in its certificate: '*.mycomp.co.za, mycomp.co.za'
The Exp-C needs an exact match!
2. Same Public cert on both Exp-E clustered servers
I dont know if it is supported, but it does work.
You need to upload both the private key and the server cert of the first cluster to the second cluster.
You will also need to include both Exp-E servers' FQDN names in the Public cert you are getting signed by your CA