Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1450
Views
31
Helpful
9
Replies

Expressway Certificate issue

Devansh
Level 1
Level 1

‎11-03-2021 05:21 AM

As per the below document, it is recommendation to use signed certificate for call manager and Tomcat for expressway environment but in our environment most of the CUCM are running with selfsigned could you please explain how it is working

 

https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-9/Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X8-9.pdf

 

We recommend using CA-signed certificates for best end-to-end security between external endpoints and internal
endpoints. However, if you do use self-signed certificates, the two certificates must have different common names.
This is because the Expressway does not allow two self-signed certificates with the same CN. If the CallManager and
tomcat self-signed certs have the same CN in the Expressway's trusted CA list, then it can only trust one of them.
This means that either secure HTTP or secure SIP, between Expressway-C and Cisco Unified Communications
Manager, will fail.

9 Replies 9

Nithin Eluvathingal
VIP
VIP

‎11-03-2021 06:12 AM

Which transport protocol you use for neighboring zone, TLS or TCP ?

Could you provide us more details how you setup C, and whats certificates you uploaded to trust store. etc..



Response Signature


0 Helpful

Maren Mahoney
VIP
VIP

‎11-03-2021 06:28 AM

With just the self-signed Tomcat certificate, you can get MRA up and running. You can't do encryption between the Expressway-C and CUCM, nor can you do TLS Verification between the systems. With the self-signed Tomcat certificate from Unity Connection and IMP you can make those services also available via MRA without encryption on the internal side.

If you want to do encryption and/or TLS Verification between the Expressway-C and CUCM, or if you want to provide ICE services to external endpoints, this requires (among other things...there are a few) that both the CUCM Tomcat and CUCM Server certificates be uploaded into the Expressway-C. When you upload multiple certificates from the same server into Expressway-C, they can't have the same 'name' in the certificate (which they do in the self-signed certificates). So you can't upload both the self-signed Tomcat and self-signed CUCM certificates to the Expressway-C.

So this is why CA-signed certificates are recommended. Once you CA-sign the CUCM and Tomcat certificates, they are seen as different certificates by the Expressway-C and therefore both can be uploaded. Uploading both gives you the ability to increase security on the Enterprise/internal side of your deployment by allowing for encryption between Expressway-C and your internal servers, along with TLS Verification for systems, among other enhancements.

Does that help explain the 'why'? What other questions do you have?

Maren

Devansh
Level 1
Level 1

‎11-07-2021 12:37 AM - edited ‎11-10-2021 08:08 AM

this document is really helpful

 

https://www.cisco.com/c/en/us/support/docs/unified-communications/expressway/213872-configure-and-troubleshoot-collaboration.html

0 Helpful

Roger Kallberg
VIP
VIP
In response to Devansh

‎11-07-2021 01:23 AM

Not sure if I fully understand what you mean by “whenever we signing the certificate usually we will mention the Call manager FQDN and expressway cluster FQDN, Unity Connection FQDN.”. Would you mind to elaborate?

If you refer to that each of these have their own FQDN as part of the name in their own individual certificate, that’s how it is supposed to be for the clients/servers to be able to verify the identity of the system. If you mean that you put all of these systems FQDNs into the certificate sign request on the Expressways that’s not really needed.



Response Signature


0 Helpful

Nithin Eluvathingal
VIP
VIP
In response to Devansh

‎11-07-2021 02:32 AM - edited ‎11-07-2021 02:33 AM

On Expressway E certificate you only need to add your public domain as DNS entry . No need to add CUCM,CUC, FQDN on Expressway Certificate.

 

On expressway C certificate, there is no need to add the CUCM,CUC, FQDN.

 

 

 

 

 



Response Signature


Devansh
Level 1
Level 1
In response to Nithin Eluvathingal

‎11-07-2021 07:46 PM

Hi Nithin,

 

thanks for the update. Most of the companies will mention their FQDN of call manager, Unity and IM. what is the need of mentioning them.

 

I hope , we can also mention the IP address.

0 Helpful

Nithin Eluvathingal
VIP
VIP
In response to Devansh

‎11-07-2021 09:35 PM

I have many sites with Expressway-C and E. No where i have added CUCM and unity ip address or FQDN  on Expressway E and C certificate.

 

 



Response Signature


Roger Kallberg
VIP
VIP
In response to Devansh

‎11-07-2021 10:46 PM - edited ‎11-08-2021 01:18 AM

I’ve never seen what you reference. In none of the many installations of Expressways I’ve been apart of the certificate has included the FQDN of CM, CUC or IM.

You can not have IP as part of the certificate. I would recommend you to read up on the topic at hand as it seems that you possible lack some knowledge in the area.



Response Signature


Customers Also Viewed These Support Documents