cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
423
Views
5
Helpful
3
Replies

ACME/Let'sEncrypt for Expressway C

scott.leonard
Beginner
Beginner

I'm setting up Expressway E and C clusters for MRA. I'm looking at the documentation for CSR process and it's not clear how the Xway C works with the Let'sEncrypt CA.

 

Let'sEncrypt must be able to reach the cluster for domain validation. This is fine for the Xway E cluster but the Xway C cluster has private addresses and cannot be reached by Let'sEncrypt.

 

Is it just not possible to use ACME for the Xway C cluster or does the CSR generated on the Xway E cluster also take care of the C cluster somehow?

1 Accepted Solution

Accepted Solutions

Jaime Valencia
Hall of Fame Cisco Employee Hall of Fame Cisco Employee
Hall of Fame Cisco Employee

For MRA the only server you want a public CA cert, is EXP-E, all other servers can use private CAs, or self-signed (though self-signed means there will be a lot of certificate exchange going on for all the trust to work)

HTH

java

if this helps, please rate

View solution in original post

3 Replies 3

scott.leonard
Beginner
Beginner
After looking at this a while longer I realized that ACME is only for the Xway E. The chapter title in the guide is "Using ACME on Expressway-E" so, duh!

But then the next question is can I use my in-house CA for Xway C or will I need to get the cert from a public CA?

Some of the Jabber clients traversing MRA will be installed on personal devices. If we used our in-house CA would we have to put it into the Trusted Roots on those personal devices or do the Jabber clients not care about Xway C certs?

Jaime Valencia
Hall of Fame Cisco Employee Hall of Fame Cisco Employee
Hall of Fame Cisco Employee

For MRA the only server you want a public CA cert, is EXP-E, all other servers can use private CAs, or self-signed (though self-signed means there will be a lot of certificate exchange going on for all the trust to work)

HTH

java

if this helps, please rate

You would need to put the root CA and any intermediate certificate into the clients trust store for it to trust the CA that signed the certificate. You’d also have to put the root CA and intermediate certificates of Let’s Encrypt in the trusted CA list on C for it to trust the certificate of the E for its internal communication between each other.



Response Signature


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers