Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1082
Views
5
Helpful
5
Replies

CMS with Expressway Public vs. internal CA Certificate Requirements

Nick Halbert-Lillyman
Level 8
Level 8

‎05-09-2017 06:14 PM - edited ‎03-18-2019 01:05 PM

I've been reading through the certificate requirements for CMS and the guides are currently focused on either single combined deployment, or split deployment of CMS, rather than CMS + Expressway.

I'm trying to confirm if I still need my Web bridge and XMPP server signed by a public CA if I'm using Expressway for all external connectivity (i.e. WebRTC)?  Or do I only need a public certificate on Expressway-E, providing it has the guest join URI as a SAN?

Labels:
0 Helpful
5 Replies 5

DenysAdams
Level 1
Level 1

‎05-16-2017 03:35 PM

On your expressway E you just need the Certificate  SAN of the guest join URI, and your good to go,


be aware if your using Expressway E only.

Branding does not work
And External CMA does not work 

Nick Halbert-Lillyman
Level 8
Level 8
In response to DenysAdams

‎05-16-2017 04:35 PM

OK thanks - so Webbridge on CMS can just use the internal CA or in most cases the same internal certificate as the Callbridge and Webadmin etc?

0 Helpful

DenysAdams
Level 1
Level 1
In response to Nick Halbert-Lillyman

‎05-16-2017 04:38 PM

Yes, because the Expressway E will be the point of access and its certificate is checked, just be sure that your expressway C trusts your CMS.

Also you may want WebRTC internally in your organisation so, sign it with an Internal CA,
that way internally you can browse to the CMS Webbridge for webRTC

0 Helpful

Ingeniero de Soporte Noc Micronet
Level 1
Level 1
In response to DenysAdams

‎09-27-2017 03:43 PM

Hello,

 

did you get this issue resolved?

 

Im having the same problem, and I´m curios about how the webbridge certificate (CSR, public or internal CA) need to be created and how the dns internal record configured.

 

thanks!

0 Helpful

Zoltan Kelemen
Cisco Employee
Cisco Employee
In response to Ingeniero de Soporte Noc Micronet

‎10-02-2017 11:17 AM

I recommend the following rule of thumb:

  • whatever needs to be accessed by clients not controlled by you should have certificates signed by a trusted public CA
  • internal services that never get accessed by end-users and/or are only for server to server connections, are free to use internal CA.

 

If you have control over all internal users, or having a certificate warning pop-up is considered acceptable, you can use an internal CA.

 

more details on CMS Certificates and DNS requirements.

0 Helpful
Customers Also Viewed These Support Documents