cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2537
Views
3
Helpful
2
Replies
ggiven
Beginner

What certificate authorities (ie go daddy,thawte) can I use for Epxressway Core and Edge

Looking at documentation guide "Cisco Expressway Certificate Creation and Use " it does not specify what certificate authorities can be used. in previous guides like "webex Telepresence for VCS expressway" it details what Root CA's will work.

Now I know this is more pointed at webex so logistically any cert authority should work as long as the client machine trusts the CA.


Other presentations list that the Cert must be X.509V3 compliant. (attached)

There are also requiremetns for SAN.


is there any one good source for demystifying what is exactly required to deploy expressway core and edge certificates the right way the first time around?


2 REPLIES 2
Kevin Roarty
Cisco Employee

The list of supported CAs is not nearly as limited if you are not doing a webex telepresence integration with your Expressway (or VCS).  If you are going to use the Expressway for Mobile & Remote access, the Expressway E certificate needs to be signed by a CA that is trusted by jabber clients and/or TelePresence endpoints.  Jabber uses the underlying platforms' trusted CAs to authenticate the Expressway E certificate.  There are plenty of CAs trusted across the various platforms Jabber is supported on, and the trusted CA list on TP endpoints is extensive as well. Consult the deployment guide below for details on what SANs are required where.  The BRKUCC-2801 slides used in your screen capture also summarizes the SAN requirements.

http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-2/Mobile-Remote-Access-via-Expressway-…

matthewtravers
Enthusiast

Check out the Mobile and Remote Access Deployment Guide from page 25 onwards.  For some CAs you'll need to chain an intermediate cert.


Also make sure you get the SANs correct.  For ExpC you'll need SAN for:


  • Unified CM registration domains
  • XMPP Fed domains
  • IM&P chat nodes

For ExpC it will need Unified CM registration domains.

Check whether your CA supports SRV records, otherwise you'll need to use DNS and prefix the UCM domains.

Content for Community-Ad