07-28-2020 01:57 PM
I originally posted this in security since it's a question about SSL certs, but I was told since it's for a voice product I might find better help here.
Hello, I'm needing to install either a renewed GoDaddy cert, or my boss suggested the wildcard cert, onto a Cisco Expressway-E server, but all the instructions I found talk about creating a CRS key and then getting the cert with the new CRS key. I found a video where some guy just installed the renewed cert like it wasn't even a thing, just uploaded the single file and that was that.
I'm confused now. I'm not a security tech, and I don't want to break it if I do it wrong. Can I just upload the new GoDaddy cert? If I install the wildcard cert instead what all do I need?
07-28-2020 02:34 PM
There are only two options, but without knowing exactly what you plan to use that certificate for, my best recommendation is to engage a reputable consultant or a Cisco partner WITH voice specializations to discuss exactly what that exp-e is used for, and what would be required in the certificate for everything to work properly.
If you still want to go ahead, the two options are:
A) Generate a CSR on the server, have it signed, then upload the signed certificate which will match the private key that is in the server.
B) Generate the private key and the CSR or certificate with any other option you want to use, and then upload the signed certificate and the matching private key.
07-28-2020 04:36 PM
Hi,
Look this videos i think it might helps you:
Here is the URL for a video that explains how to extract the private key from your Expressway server: https://video.cisco.com/video/5828517977001
Here are some steps that may also help you while installing new certificates in the Expressway servers.
How to generate a CSR in EXPWY servers: https://video.cisco.com/video/5809964179001
How to install a server certificate in the EXPWY servers (procedure for the intermediate is the same as for the root): https://video.cisco.com/video/5819742564001
How to generate trust between EXPWY-C and EXPWY-E: https://video.cisco.com/video/6120786941001
EXPWY Certificates Guide: https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-9/Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X8-9.pdf
How to extract the private key form an EXPWY server: https://video.cisco.com/video/5828517977001
Certificate Key Matcher: https://www.sslshopper.com/certificate-key-matcher.html
Regards
Leonardo Santana
07-28-2020 06:32 PM
Are you going to renew or you got the renewed certificate ?
Below mentioned is a production expressway-E certificate with CN=*.domain purchased from Digicert, if you look int to the DNS fields it contain all the name which I included in the CSR.
But with goDaddy wildcard certificate, my experience is they don't provide the DNS entries which we requested in CSR instead of that they mention only *.domain. and this will effect features like MRA.
goDaddy is cheap compared to Digicert, but the support is worst.
07-28-2020 11:08 PM
For a similar CSR below is the wildcard certificate which we received from Godaddy. when customer opted SAN certificate for the same CSR, GoDaddy provided certificate with all DNS fields.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: