05-18-2017 09:58 PM - edited 03-18-2019 01:07 PM
Hi All,
I am trying to understand the certificates and there usage in Expressway C & E, specially when deploying MRA. I have already read certificate deployment guide for 8.7
My understanding so far is :
We have to generate CSR in Exp C and E both in all the servers. For Exp C CSR can be signed by internal CA and for Exp E it needs to be signed by External CA.
Do we also need to add any static routes on Exp E for communication between Exp C and Exp E or Exp E and internat.
Thanks,
Santosh Agrawal
05-19-2017 07:19 AM
About using IPs, read here
https://www.godaddy.com/help/can-i-request-a-certificate-for-an-intranet-name-or-ip-address-6935
On your scenario, you have to upload both root CA to both servers. To load the private CA signed on EXP-C, you need to first upload the root CA who signed it (so it can trust his own certificate), then, upload the public CA from EXP-E, so it can trust his certificate. Same theory for EXP-E. Root and intermediate certs are uploaded before the server certificate.
Whether you need static routes or not, that's completely dependent on your network and the configuration you have in place.
05-24-2017 07:02 PM
also make sure that when signing the Exp-C cert both the client and server authentication attributes are in the cert. in order to set up a traversal zone.
re. your static routes, depends, if you are using 2 NICS on your VCSe, you might want to point all your internal IP address out of LAN2 and all other out LAN1 (or the other way around, depending on how you have set it up.
Please rate if useful
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: