Kindly need your help
currently, I have set up clustered expressway edge for Jabber MRA as below
My question is
|Expressway Edge||Common Name||SAN|
|This CSR generated on edge1.domain.com||cluster1.domain.com|
|This CSR generated on edge2.domain.com||cluster1.domain.com|
|This CSR generated on edge3.domain.com||cluster1.domain.com|
I would say that you would only need to generate the certificate on the master node in your cluster with the content of the SAN as you have in your list. Then you’d upload it to each cluster node with root CA certs.
Looking for your help Nithin- in the process of building clusters EXP-C/E where all nodes are still standalone. According to the cisco official video above, CN is the FQDN of the expressway while the documentation says the CN should be the FQDN of the cluster. Please advise.
If the Expressway is not clustered:
Subject Common Name = FQDN of Expressway
Subject Alternate Names = leave blank*
If the Expressway is clustered, with individual certificates per Expressway:
Subject Common Name = FQDN of cluster
Subject Alternate Name = FQDN of Expressway peer, FQDN of cluster*
So I just need to generate the CSR from master node and upload on each node in the cluster that should work?
Because I worried that the private key from each node is different then if I only generate CSR from master node and get sign from Public CA, when I upload on each node in the cluster it will not work because the private key is different each nodes.
You can copy the private key from the first sever and use it in the reaming.
follow the below steps to copy the private key from primary.
you can learn more about from the below link.
The Expressway’s server certificate is used to identify the Expressway when it communicates with client systems using TLS encryption, and with web browsers over HTTPS.
As well as these instructions, a video demonstration of the process provided by Cisco TAC engineers is available on the Expressway/VCS Screencast Video List page.
To upload a server certificate:
Go to Maintenance > Security > Server certificate.
Use the Browse button in the Upload new certificate section to select and upload the server certificate PEM file.
If you used an external system to generate the Certificate Signing Request (CSR) you must also upload the server private key PEM file that was used to encrypt the server certificate. (The private key file will have been automatically generated and stored earlier if the Expressway was used to produce the CSR for this server certificate.)
The server private key PEM file must not be password protected.
You cannot upload a server private key if a certificate signing request is in progress.
Click Upload server certificate data.
When you generate a CSR in X7, the application puts csr.pem and privkey_csr.pem into /tandberg/persistent/certs.
When you generate a CSR in X8, the application puts csr.pem and privkey.pem into /tandberg/persistent/certs/generated_csr.
If you want to upgrade from X7 and have an unsubmitted CSR, then we recommend you to discard the CSR before upgrade, and then regenerate the CSR after upgrade.