cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4128
Views
0
Helpful
11
Replies

Third Party CA certificate requirement for Cisco expressway C and E

Vinod Kembhavi
Level 1
Level 1

Hi All,

We have implemented MRA solution for our customer, We had ask to procure the CA certificate from Third party CA certificate issuing vendor.

We had shared CSR request generated from Expressway C and E application to generate SSL certificate, As per cisco document we had ask to procure “Quick SSL premium single domain” CA certificate for Expressway Series E and C server but as per the certificate issuing vendor, the application required “Quick SSL premium multi domain” as they observed extra SANs in CSR generated from the Expressway C and E applications. Need help to find out application required certificate,  who are using Third Party CA certificate for MRA solution.

11 Replies 11

Ayodeji Okanlawon
VIP Alumni
VIP Alumni

What have you configured in your SAN? Why does your SAN have multiple domain in it?

On your CSR, you should have this..

Common name: FQDN of exprw cluster

subject alternate names: FQDN of expw cluster plus FQDN of all peers in the cluster

 

 

Please rate all useful posts

Hi Ayodeji,

Thanks for your response ...

Just FYI, We have standalone collaboration solution with expressway C and E. I have not added any extra SANs, Vendor see these in CSR generated from expressway E and C application.

for e.g

My domain is xyz.com..

FQDN of expressway E -  expe.xyz.com

SAN's - expe.xyz.com, xyz.com, confereance2XXX.xyz.com

Due to above entries in SAN vendor asking to go for multi domain certificate.

Is the single domain CA certificate will work in our solution.??

 

Thanks,

Vinod Kembhavi

 

 

 

 

 

Your vendor is right. When you have entries in the SAN ( it doesn't even matter if its just additional hostnames or different domain names), most vendors will request you to purchase a multi domain certificate.

In your case, you will need the multi domain cert, because it looks like you have persistent chat server defined and without the "confereance2XXX.xyz.com" (which I assume its the persistent chat server name), you will run into issues.

Please rate all useful posts

Hi Ayodeji,

 

Thanks for your response,  We don't have any persistent chat server in solution.

We have only Expressway C and E , VCS, CUCM, IM & P, Unity connection in solution without any redundancy..

 

Ok..What is this hostname for? "confereance2XXX.xyz.com" This has been added while you generated your CSR.

If you only have a single expwe and expwc, then you can regenerate your CSR and delete any entry in the SAN. This way you will only have the FQDN of the expwe in the common name and you can use a single domain certificate

NB: that if you have a cluster of expwe, then you need to have entries int he SAN as follows and in this case you will need multiple domain certificate

 

Common name: FQDN of expw cluster

subject alternate names: FQDN of expw cluster plus FQDN of all peers in the cluster

 

 

Please rate all useful posts

I had discard the CSR generated earlier and tried to generate CSR with DNS format under Unified CM registration domains option on both Expressway C and E, now I can see only  FQDN of Expressway-E and domain name in SAN entry.

Just FYI, I can see two format " DNS" and " SRVName" under CM registration domains option so what need to selected while generating CSR request ..

 

First of all, I don't see how you cant get away with single domain certificate. I have looked into this more. This is because you need to add your domain name in the SAN as detailed below.

Secondly, I am not sure where you are going to generate the certificates from..You should generate your CSR from here..

Go to Maintenance > Security certificates > Server certificate

NB: Customer’s service discovery domain is required to be included as a DNS SAN in all Expressway-E server certificates

This is what the CSR page looks like

 

Please rate all useful posts

Hi,

Yes I had generated CSR from same location " Maintenance > Security certificates > Server certificate" l

Now i can see only two DNS SAN entries in CSR generated on EXP-E i.e (FQDN) expe.xyz.com , xyz.com ( Main Service Domain).

And only one entry in CSR generated on EXP-C  i.e  (FQDN) expc.xyz.com

IS this conclude that solution required single domain certificate??

No, you will need a multi domain certificate as long as you have entries in your SAN (which you need for this deployment). ensure you add the main domain name on the CSR for expw-c too.

Please rate all useful posts

Hi Ayodeji,

Thanks for your support, i had ask CA certificate issuer vendor to provide the trial certificate for single domain which will include the FQDN and main domain for both the expressway C and E application server.

Will update you once we gets trail certificate for testing from CA Vendor..