Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
800
Views
0
Helpful
4
Replies

Jabber Expressway ( On iphones) is down due to expired Cert

Go to solution
mikep83
Level 1
Level 1

‎06-15-2020 04:42 AM

Dear all, 

 

I hope you can help - We recently came to realise that at least one certificate ( possibly more) have expired meaning that we cannot get any services using the Jabber app on iphones.

 

We have a support company who have taken a look at this and generated 2 x CSR files, one for Expressway C and one for E.

 

I have then taken those CSRs and enrolled them using our internal Windows cert authority. On handing back the finished .CER files i was told that the file need to be a PEM format, so i found a converter on the internet that did this, and the files became .CRT files.

 

On handing over the .CRT files to our phone support company, they have advised me they need the root CA certificate. I have given them this but now they have advised me they are getting the attached error -  ( please see JPG). is that because it needs the root CA of an external paid for company?

 

My experience and knowledge of this is limited, but about a week before all this went down, i did get an email from an external company called COMODO CA. they advised me we had expiring certs in the next 90 days and would i like to renew. 

 

I think the issue is the CSR request files were generated based on COMODO CAs root certificate but i cannot obtain this. Should i just speak to COMODO and just pay for the 3 x certificates, the root CA, the JAB E and JAB C certs?

 

Jabber for iphones has been down for over a week now and I dont feel like i am making any progress but realise i need to do something quite soon. I hope you can help and maybe give me some pointers based on the screenshot too?

 

many thanks

Preview file
89 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Vaijanath Sonvane
VIP Alumni
VIP Alumni
In response to mikep83

‎06-15-2020 09:50 AM - edited ‎06-15-2020 09:52 AM

Hi,

As a COMODO customer, you should have an access to their Certificate Management Portal where you can login, upload CSR and generate certificate. If you do not know the process, contact their technical support team.

All the certificate must be in .PEM format. You can use this process to convert .CER to .PEM format:

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/expressway/config_guide/X12-5/exwy_b_certificate-creation-use-deployment-guide/exwy_b_certificate-creation-use-deployment-guide_chapter_01010.html 

Please go through above document and also through below video's:

Generating CSR for MRA/ Clustered Expressways

https://video.cisco.com/video/5809964179001 

Installing a Server Certificate to an Expressway

https://video.cisco.com/video/5819742564001 

 

Generally, Root and Intermediate CA certificates are provided with your server certificate. 

 

 

Please rate helpful posts and if applicable mark "Accept as a Solution".
Thanks, Vaijanath S.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Vaijanath Sonvane
VIP Alumni
VIP Alumni

‎06-15-2020 06:51 AM

Hi,

Please note that, Expressway-E server requires Public CA signed certificate. Internal signed certificate doesn't work. If you received email from COMODO about expiring certificates, that means you were using Public CA signed certificates for Expressway-C and E. I would recommend to reach out to COMODO, re-generate CSR's for Expressway-C and E, and sign the certificates using Public CA.

 

 

Please rate helpful posts and if applicable mark "Accept as a Solution".
Thanks, Vaijanath S.

0 Helpful

Go to solution
Jaime Valencia
Cisco Employee
Cisco Employee

‎06-15-2020 07:46 AM

You want to invest some time reading and learning PKIs and certificates, they're A MUST these days for pretty much everything.

 

A) CSRs are not generated based on a particular CA, you generate a CSR either in the system or offline and send it to a CA (public/private) to have it signed. You need to know what info you need in the certificate, that it's accurate for your deployment, and that the right template is used when signing it.

B) There is a whole document dedicated to certificates on expressways, if you haven't, you should read it.

C) You don't pay for the root certificate, that one is given to you in case your system doesn't have it or it needs to be updated.

D) Root and intermediate certificates are uploaded BEFORE the actual certificate, which is the problem from the screenshot.

 

If you lack the knowledge to understand exactly what should be in the contents of the CSR of EXP-C and EXP-E, the system will auto-fill some of the fields with what it detects from the configuration, but they could be manually modified if they are not correct or if less/more are needed depending on your particular needs. You might want to reach out to a reputable consultant to make sure you get this right and your system works again.

HTH

java

if this helps, please rate
0 Helpful

Go to solution
mikep83
Level 1
Level 1
In response to Jaime Valencia

‎06-15-2020 07:56 AM

thank you both for your replies so far.

 

To confirm, I have a CSR file for JaB C, and a CSR file for Jab E, so can i give these to Comodo and request certificates, and do they HAVE to be PEM format ( which i believe is a crt file format)?

 

Also i guess Comodo will give me access to the root certificate for free as you said, and I can then import that.

 

From the screenshot are we saying i need to discard the CSR and also reset to default server certificate, and then apply the Public Comodo root Cert first, then the two paid for certs? 

 

Thanks

0 Helpful

Go to solution
Vaijanath Sonvane
VIP Alumni
VIP Alumni
In response to mikep83

‎06-15-2020 09:50 AM - edited ‎06-15-2020 09:52 AM

Hi,

As a COMODO customer, you should have an access to their Certificate Management Portal where you can login, upload CSR and generate certificate. If you do not know the process, contact their technical support team.

All the certificate must be in .PEM format. You can use this process to convert .CER to .PEM format:

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/expressway/config_guide/X12-5/exwy_b_certificate-creation-use-deployment-guide/exwy_b_certificate-creation-use-deployment-guide_chapter_01010.html 

Please go through above document and also through below video's:

Generating CSR for MRA/ Clustered Expressways

https://video.cisco.com/video/5809964179001 

Installing a Server Certificate to an Expressway

https://video.cisco.com/video/5819742564001 

 

Generally, Root and Intermediate CA certificates are provided with your server certificate. 

 

 

Please rate helpful posts and if applicable mark "Accept as a Solution".
Thanks, Vaijanath S.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents