Showing results for 
Search instead for 
Did you mean: 

Clustered Expressway Edge using FQDN of Cluster as Common Name in CSR


Hi all,


Kindly need your help

currently, I have set up clustered expressway edge for Jabber MRA as below



My question is

  1. If I use FQDN of Cluster as Common Name do I need to generate the certificate on each expressway edge node?
  2. Whether the CSR will look like as table below?
Expressway EdgeCommon NameSAN
This CSR generated on

This CSR generated on

This CSR generated on

Best Regards,

Nanda Nurhadyan
6 Replies 6

Roger Kallberg
VIP Expert VIP Expert
VIP Expert

I would say that you would only need to generate the certificate on the master node in your cluster with the content of the SAN as you have in your list. Then you’d upload it to each cluster node with root CA certs.

Response Signature

The above will  be the best option.


you can also refer the below link.

Response Signature

Looking for your help Nithin- in the process of building clusters EXP-C/E where all nodes are still standalone. According to the cisco official video above, CN is the FQDN of the expressway while the documentation says the CN should be the FQDN of the cluster. Please advise. 

If the Expressway is not clustered:

Subject Common Name = FQDN of Expressway

Subject Alternate Names = leave blank*

If the Expressway is clustered, with individual certificates per Expressway:

Subject Common Name = FQDN of cluster

Subject Alternate Name = FQDN of Expressway peer, FQDN of cluster*


Hi Roger, 


So I just need to generate the CSR from master node and upload on each node in the cluster that should work? 


Because I worried that the private key from each node is different then if I only generate CSR from master node and get sign from Public CA, when I upload on each node in the cluster it will not work because the private key is different each nodes.


Best Regards,

Nanda Nurhadyan

You can copy the private key from the first sever and use it in the reaming.


follow the below steps to copy the private key from primary.

  • login as root.
  • go to /tandberg/persistent/certs
  • cat privkey.pem
  • copy the content and save it as private.pem

you can learn more about from the below link.



Load a Server Certificate and Private Key Onto Expressway

The Expressway’s server certificate is used to identify the Expressway when it communicates with client systems using TLS encryption, and with web browsers over HTTPS.

As well as these instructions, a video demonstration of the process provided by Cisco TAC engineers is available on the Expressway/VCS Screencast Video List page.

To upload a server certificate:

  1. Go to Maintenance > Security > Server certificate.

  2. Use the Browse button in the Upload new certificate section to select and upload the server certificate PEM file.

  3. If you used an external system to generate the Certificate Signing Request (CSR) you must also upload the server private key PEM file that was used to encrypt the server certificate. (The private key file will have been automatically generated and stored earlier if the Expressway was used to produce the CSR for this server certificate.)

    • The server private key PEM file must not be password protected.

    • You cannot upload a server private key if a certificate signing request is in progress.

  4. Click Upload server certificate data.

    • When you generate a CSR in X7, the application puts csr.pem and privkey_csr.pem into /tandberg/persistent/certs.

    • When you generate a CSR in X8, the application puts csr.pem and privkey.pem into /tandberg/persistent/certs/generated_csr.

If you want to upgrade from X7 and have an unsubmitted CSR, then we recommend you to discard the CSR before upgrade, and then regenerate the CSR after upgrade.

server certificate image




Response Signature

Great answer @Nithin Eluvathingal (+5)

Response Signature

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: