cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
628
Views
0
Helpful
2
Replies

Expressway-E public CA recommendations

dmuizebelt
Level 1
Level 1

Hi,

 

I want to sign an Expressway-E CSR with a public CA. As per Cisco (and other) documentation and guides my current CSR has 5 SANs (Subject Alternative Names.

 

My customer is currently using GoDaddy which happily throws away the requested SANs and replaces them with host.domain.com and www.host.domain.com. Not really what I requested. GoDaddy does have separate form where you can fill out extra SANs up to a maximum of 4 SANs. Still not enough for an Expressway.

 

Can anybody recommend a good public CA which honors the actual CSR and/or supports 5+ SANs? Also good/bad experiences with public CAs in combination with Expressway-E is highly welcome.

 

Thank you for your feedback,

 

-Danny

 

2 Replies 2

George Thomas
Level 10
Level 10

I personally havent had any issues with GoDaddy and they have issued the correct SANs. Sometimes the reason the SAN is not coming through is if you have a domain that is not publicly registered eg. domain.local or domainint.com. In those cases, most CAs disregard the SANs. 

Please rate useful posts.

I had a problem with GoDaddy because they didn't allow a "duplicate" FWDN (CN + SAN). Which is strange because it is the usual way to insure backwards compatibility which checking for names inside the certificate.

I should note that the FQDN of the server MUST be in the SAN list because RFC6125 specifies that a client is not allowed the parse the CN field if SAN entries are present. In the future the CN field will be deprecated.

I now signed with GeoTrust because they allow changes and addition to the SAN list for the lifetime of the certificate. This should cover any development changes in the Expressway setup. I don't think GoDaddy has such a service.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: