11-13-2014 11:26 PM - edited 03-13-2019 08:43 PM
Hi All,
We have implemented MRA solution for our customer, We had ask to procure the CA certificate from Third party CA certificate issuing vendor.
We had shared CSR request generated from Expressway C and E application to generate SSL certificate, As per cisco document we had ask to procure “Quick SSL premium single domain” CA certificate for Expressway Series E and C server but as per the certificate issuing vendor, the application required “Quick SSL premium multi domain” as they observed extra SANs in CSR generated from the Expressway C and E applications. Need help to find out application required certificate, who are using Third Party CA certificate for MRA solution.
11-14-2014 12:38 PM
What have you configured in your SAN? Why does your SAN have multiple domain in it?
On your CSR, you should have this..
Common name: FQDN of exprw cluster
subject alternate names: FQDN of expw cluster plus FQDN of all peers in the cluster
11-16-2014 08:31 PM
Hi Ayodeji,
Thanks for your response ...
Just FYI, We have standalone collaboration solution with expressway C and E. I have not added any extra SANs, Vendor see these in CSR generated from expressway E and C application.
for e.g
My domain is xyz.com..
FQDN of expressway E - expe.xyz.com
SAN's - expe.xyz.com, xyz.com, confereance2XXX.xyz.com
Due to above entries in SAN vendor asking to go for multi domain certificate.
Is the single domain CA certificate will work in our solution.??
Thanks,
Vinod Kembhavi
11-17-2014 02:05 AM
Your vendor is right. When you have entries in the SAN ( it doesn't even matter if its just additional hostnames or different domain names), most vendors will request you to purchase a multi domain certificate.
In your case, you will need the multi domain cert, because it looks like you have persistent chat server defined and without the "confereance2XXX.xyz.com" (which I assume its the persistent chat server name), you will run into issues.
11-17-2014 03:30 AM
Hi Ayodeji,
Thanks for your response, We don't have any persistent chat server in solution.
We have only Expressway C and E , VCS, CUCM, IM & P, Unity connection in solution without any redundancy..
11-17-2014 03:38 AM
Ok..What is this hostname for? "confereance2XXX.xyz.com" This has been added while you generated your CSR.
If you only have a single expwe and expwc, then you can regenerate your CSR and delete any entry in the SAN. This way you will only have the FQDN of the expwe in the common name and you can use a single domain certificate
NB: that if you have a cluster of expwe, then you need to have entries int he SAN as follows and in this case you will need multiple domain certificate
Common name: FQDN of expw cluster
subject alternate names: FQDN of expw cluster plus FQDN of all peers in the cluster
11-17-2014 05:46 AM
I had discard the CSR generated earlier and tried to generate CSR with DNS format under Unified CM registration domains option on both Expressway C and E, now I can see only FQDN of Expressway-E and domain name in SAN entry.
Just FYI, I can see two format " DNS" and " SRVName" under CM registration domains option so what need to selected while generating CSR request ..
11-17-2014 06:25 AM
First of all, I don't see how you cant get away with single domain certificate. I have looked into this more. This is because you need to add your domain name in the SAN as detailed below.
Secondly, I am not sure where you are going to generate the certificates from..You should generate your CSR from here..
Go to Maintenance > Security certificates > Server certificate
NB: Customer’s service discovery domain is required to be included as a DNS SAN in all Expressway-E server certificates
This is what the CSR page looks like
11-17-2014 06:46 AM
Hi,
Yes I had generated CSR from same location " Maintenance > Security certificates > Server certificate" l
Now i can see only two DNS SAN entries in CSR generated on EXP-E i.e (FQDN) expe.xyz.com , xyz.com ( Main Service Domain).
And only one entry in CSR generated on EXP-C i.e (FQDN) expc.xyz.com
IS this conclude that solution required single domain certificate??
11-17-2014 08:28 AM
No, you will need a multi domain certificate as long as you have entries in your SAN (which you need for this deployment). ensure you add the main domain name on the CSR for expw-c too.
11-17-2014 11:34 PM
Hi Ayodeji,
Thanks for your support, i had ask CA certificate issuer vendor to provide the trial certificate for single domain which will include the FQDN and main domain for both the expressway C and E application server.
Will update you once we gets trail certificate for testing from CA Vendor..