Certificate requirements when changing hostname on Expressway

dan.engelhardt · ‎09-23-2020

We are changing hostnames on a number of regional expressways and clustering them to increase capacity and provide failover. When creating the CSR, does the CN need to be the new hostname or can I just include it in the SAN list? If I do need to create the CSR with the new hostname, can i just temporarily change it in the gui and create the request or will that cause issues?

Nithin Eluvathingal · ‎09-23-2020

Changing the host name will void the certificate.

CN will be auto populated based on the hostname.

Since u r planning to do cluster, u can take csr for cluster or individually.

dan.engelhardt · ‎09-23-2020

Thanks for the reply Nithin. Once I change the hostname I'll need to have a valid certificate with the new hostname as the CN right? Is there not a way to create the CSR from the gui using the new hostname as CN so the signing process (which in our case takes a few days) can be done without invalidating the current cert?

Also I'm not clear on what you mean by "take csr for cluster or individually". I've got the new cluster FQDN as one of the SAN entries but from my understanding I would still need a valid server certificate for the server itself

Jaime Valencia · ‎09-23-2020

Generating a CSR does NOTHING to the existing certificates or the system, it simply generates a CSR and matching key waiting until the time you upload the signed certificate which will need to match the private key and THEN it will prompt you to restart the server so that new certificate is now used by the system.

HTH

java

if this helps, please rate

dan.engelhardt · ‎09-23-2020

Thanks Jaime, my understanding from Nithin's response wasn't that the CSR would invalidate the current certificate, but the changing of the hostname. My thought was to temporarily change the hostname, create the CSR with the new hostname as the CN, then change it back. Do you think that's something that would affect the certificate validity, even if the hostname is reverted back?

lior look · ‎09-23-2020

nothing change automaticly for the active certificate until you choose to generate new cert request.

Even if you modify the hostname a 100 times.

You don't have to make a common name with the hostname but you can also put on the CN a name of your domain or somthing and into the SAN put your all expressway's names (old,new,whatever)

The expressway knows to look on the SAN also when you doing tls negotioation.

Nithin Eluvathingal · ‎09-25-2020

what I understood is, you are planning to change the hostname on expressway.

CN name which you get on CSR page is from Hostname configured for expressway.

your existing certificates will be based on your existing hostname. changing the hostname and using the old certificate, I don't think ur Zones will come up.

Generating new CSR, yes it won't effect the existing certificate.

You can add new hostname on alternative name and generate CSR. But the number of SAN names will be the Price factor for Public CA. You add more SAN Name u have to pay more.

you can go through below document to learn more about generating the CSR.

https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-9/Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X8-9.pdf