cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
748
Views
5
Helpful
3
Replies

ACME/Let'sEncrypt for Expressway C

scott.leonard
Level 1
Level 1

I'm setting up Expressway E and C clusters for MRA. I'm looking at the documentation for CSR process and it's not clear how the Xway C works with the Let'sEncrypt CA.

 

Let'sEncrypt must be able to reach the cluster for domain validation. This is fine for the Xway E cluster but the Xway C cluster has private addresses and cannot be reached by Let'sEncrypt.

 

Is it just not possible to use ACME for the Xway C cluster or does the CSR generated on the Xway E cluster also take care of the C cluster somehow?

1 Accepted Solution

Accepted Solutions

For MRA the only server you want a public CA cert, is EXP-E, all other servers can use private CAs, or self-signed (though self-signed means there will be a lot of certificate exchange going on for all the trust to work)

HTH

java

if this helps, please rate

View solution in original post

3 Replies 3

scott.leonard
Level 1
Level 1
After looking at this a while longer I realized that ACME is only for the Xway E. The chapter title in the guide is "Using ACME on Expressway-E" so, duh!

But then the next question is can I use my in-house CA for Xway C or will I need to get the cert from a public CA?

Some of the Jabber clients traversing MRA will be installed on personal devices. If we used our in-house CA would we have to put it into the Trusted Roots on those personal devices or do the Jabber clients not care about Xway C certs?

For MRA the only server you want a public CA cert, is EXP-E, all other servers can use private CAs, or self-signed (though self-signed means there will be a lot of certificate exchange going on for all the trust to work)

HTH

java

if this helps, please rate

You would need to put the root CA and any intermediate certificate into the clients trust store for it to trust the CA that signed the certificate. You’d also have to put the root CA and intermediate certificates of Let’s Encrypt in the trusted CA list on C for it to trust the certificate of the E for its internal communication between each other.



Response Signature