Solved: Certificate requirements on Expressway C and E

carl_townshend · ‎10-31-2023

Hi guys

we had some issues this morning with our B2B calls, we update the public identity cert each year on the expressway E, we don't normally have to do anything with the expressway C.

We did have to put a new public root cert on the E also this year, however when we did this, it broke the tunnel between the C and E and stopped our video calls from working.

I then copied the new public cert to the C, did a reboot and it was then all OK.

I thought that the Exp C only requires our internally signed certs to create the tunnel between the C and E.

Does the C also need the public root certificate on it?

Cheers

b.winter · ‎10-31-2023

Yes, the C also needs to have the public root CA's from E, the same as E needs the private root CA's from C.

This is known since the beginning / hasn't changed and is not specific to Cisco / Expressway. You always need to upload the root CA's from the opposite server.

And if you would check out the uploaded root CA's in C, you would also see the old public Root CA's in there.

View solution in original post

b.winter · ‎10-31-2023

Yes, the C also needs to have the public root CA's from E, the same as E needs the private root CA's from C.

This is known since the beginning / hasn't changed and is not specific to Cisco / Expressway. You always need to upload the root CA's from the opposite server.

And if you would check out the uploaded root CA's in C, you would also see the old public Root CA's in there.

Oleksandr Yurchenko · ‎10-31-2023

Hello, yes, Exp-C must trust to Exp-E certificate. And for this trust you must upload root certificate of Exp-E signer.