Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
431
Views
0
Helpful
2
Replies

Queries on Exp Certificates and static routes

santoshagrawal1
Level 1
Level 1

‎05-18-2017 09:58 PM - edited ‎03-18-2019 01:07 PM

Hi All,

  I am trying to understand the certificates and there usage in Expressway C & E, specially when deploying MRA. I have already read certificate deployment guide for 8.7

My understanding so far is :

We have to generate CSR in Exp C and E both in all the servers. For Exp C CSR can be signed by internal CA and for Exp E it needs to be signed by External CA.

  • While generating CSR  in Exp E which all information do we put in Alternative names i.e. domain name of internal and external users like internal.example.com  and external.example.com or the just the external domain. Someone also told me that we can also put the IP address of the servers in case a request comes to the IP address of the servers. In that case which IP do we need to add. Internal IP or the public facing IP.
  • When we get the certificates signed which root certificate goes to both C and E for Traversal subzone, certificate generated by Exp C CSR or Exp E CSR.

Do we also need to add any static routes on Exp E for communication between Exp C and Exp E or Exp E and internat.

Thanks,

Santosh Agrawal 

  

Labels:
0 Helpful
2 Replies 2

Jaime Valencia
Cisco Employee
Cisco Employee

‎05-19-2017 07:19 AM

About using IPs, read here

https://www.godaddy.com/help/can-i-request-a-certificate-for-an-intranet-name-or-ip-address-6935

On your scenario, you have to upload both root CA to both servers. To load the private CA signed on EXP-C, you need to first upload the root CA who signed it (so it can trust his own certificate), then, upload the public CA from EXP-E, so it can trust his certificate. Same theory for EXP-E. Root and intermediate certs are uploaded before the server certificate.

Whether you need static routes or not, that's completely dependent on your network and the configuration you have in place.

HTH

java

if this helps, please rate
0 Helpful

Dennis Mink
VIP Alumni
VIP Alumni

‎05-24-2017 07:02 PM

also make sure that when signing the Exp-C cert both the client and server authentication attributes are in the cert. in order to set up a traversal zone.

re. your static routes, depends, if you are using 2 NICS on your VCSe, you might want to point all your internal IP address out of LAN2 and all other out LAN1  (or the other way around, depending on how you have set it up.

Please rate if useful

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents