Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
694
Views
5
Helpful
3
Replies

ACME/Let'sEncrypt for Expressway C

Go to solution
scott.leonard
Level 1
Level 1

‎05-10-2020 12:37 PM

I'm setting up Expressway E and C clusters for MRA. I'm looking at the documentation for CSR process and it's not clear how the Xway C works with the Let'sEncrypt CA.

 

Let'sEncrypt must be able to reach the cluster for domain validation. This is fine for the Xway E cluster but the Xway C cluster has private addresses and cannot be reached by Let'sEncrypt.

 

Is it just not possible to use ACME for the Xway C cluster or does the CSR generated on the Xway E cluster also take care of the C cluster somehow?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jaime Valencia
Cisco Employee
Cisco Employee
In response to scott.leonard

‎05-10-2020 05:47 PM

For MRA the only server you want a public CA cert, is EXP-E, all other servers can use private CAs, or self-signed (though self-signed means there will be a lot of certificate exchange going on for all the trust to work)

HTH

java

if this helps, please rate

View solution in original post

0 Helpful
3 Replies 3

Go to solution
scott.leonard
Level 1
Level 1

‎05-10-2020 03:42 PM

After looking at this a while longer I realized that ACME is only for the Xway E. The chapter title in the guide is "Using ACME on Expressway-E" so, duh!

But then the next question is can I use my in-house CA for Xway C or will I need to get the cert from a public CA?

Some of the Jabber clients traversing MRA will be installed on personal devices. If we used our in-house CA would we have to put it into the Trusted Roots on those personal devices or do the Jabber clients not care about Xway C certs?
0 Helpful

Go to solution
Jaime Valencia
Cisco Employee
Cisco Employee
In response to scott.leonard

‎05-10-2020 05:47 PM

For MRA the only server you want a public CA cert, is EXP-E, all other servers can use private CAs, or self-signed (though self-signed means there will be a lot of certificate exchange going on for all the trust to work)

HTH

java

if this helps, please rate
0 Helpful

Go to solution
Roger Kallberg
VIP
VIP
In response to scott.leonard

‎05-10-2020 10:38 PM

You would need to put the root CA and any intermediate certificate into the clients trust store for it to trust the CA that signed the certificate. You’d also have to put the root CA and intermediate certificates of Let’s Encrypt in the trusted CA list on C for it to trust the certificate of the E for its internal communication between each other.



Response Signature


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents