Solved: Jabber MRA with external Certificates

karen.johnson5801 · ‎05-08-2017

expert,

can someone guide me on steps how to apply external ceritificate , such as : Go Daddy certificates to Jabber MRA?

thanks,

K

Chris Deren · ‎05-09-2017

Did you get a chance to read this guide:

Cisco Expressway Certificate Creation and Use Deployment Guide (X8.9)

View solution in original post

Jaime Valencia · ‎05-11-2017

You can just generate the CSR in your expressway and then have it signed by your public CA, there is no real need create the CSR with openssl, unless you want to, then you would need to upload the key and certificate.

HTH

java

if this helps, please rate

View solution in original post

Jaime Valencia · ‎05-13-2017

Might want to do some reading on CSR and public CA to understand this

https://www.sslshopper.com/what-is-a-csr-certificate-signing-request.html

https://en.wikipedia.org/wiki/Certificate_signing_request

Most Cisco products only allow you to generate a CSR, the private key never leaves the server, and you only upload the signed request.

On a VCS, you can also generate your own private key and CSR, and upload both of them, as in the example from the guide using openssl

If you're going to use MRA for IP Phones, make sure to read the doc on what public CA root certs are uploaded on the devices, as only those will work. If this is only for Jabber, most public CA root certs are already in most devices.

HTH

java

if this helps, please rate

View solution in original post

Alok Jaiswal · ‎05-14-2017

Hi Karen,

I would probably go for Godaddy certificate, I think they have the best deal i believe.

You can go for a UCC certificate and then include all the FQDN as SAN's in a single certificate.

They have options for 5 SAN or 10 SAN's excluding the CN of the certificate which basically means you can have in total 6 or 11 different FQDN's.

We recommend this to all our customer.

It is also supported by the devices registering over MRA for e.g. 7800 or 8800.

Regards,

Alok

View solution in original post

Chris Deren · ‎05-09-2017

Did you get a chance to read this guide:

Cisco Expressway Certificate Creation and Use Deployment Guide (X8.9)

karen.johnson5801 · ‎05-10-2017

Thanks Chris,

I read all the link, is this section " Appendix 2: Certificate Generation using OpenSSL " ?

Is the real implement is really text book following all in Appendix 2 will just work ?

or maybe you have notes from past implementation that you can share here?

thanks,

K

Jaime Valencia · ‎05-11-2017

You can just generate the CSR in your expressway and then have it signed by your public CA, there is no real need create the CSR with openssl, unless you want to, then you would need to upload the key and certificate.

HTH

java

if this helps, please rate

karen.johnson5801 · ‎05-13-2017

Hi Jamie,

"then have it signed by your public CA " , means just send to Go Daddy support to sign and they will send us back with file to upload to Exp-E?

what is better public CA beside GoDaddy that you recommend or used before?

thanks,

K

Jaime Valencia · ‎05-13-2017

Might want to do some reading on CSR and public CA to understand this

https://www.sslshopper.com/what-is-a-csr-certificate-signing-request.html

https://en.wikipedia.org/wiki/Certificate_signing_request

Most Cisco products only allow you to generate a CSR, the private key never leaves the server, and you only upload the signed request.

On a VCS, you can also generate your own private key and CSR, and upload both of them, as in the example from the guide using openssl

If you're going to use MRA for IP Phones, make sure to read the doc on what public CA root certs are uploaded on the devices, as only those will work. If this is only for Jabber, most public CA root certs are already in most devices.

HTH

java

if this helps, please rate

karen.johnson5801 · ‎05-16-2017

Thanks Jamie,

where I read this ?

If you're going to use MRA for IP Phones, make sure to read the doc on what public CA root certs are uploaded on the devices

Thanks,

K

Jaime Valencia · ‎05-16-2017

See here

http://www.cisco.com/c/en/us/support/collaboration-endpoints/unified-ip-phone-8800-series/products-technical-reference-list.html

HTH

java

if this helps, please rate

karen.johnson5801 · ‎05-17-2017

I see thanks

karen.johnson5801 · ‎05-17-2017

Thanks Jaime,

where do I find this ?

If you're going to use MRA for IP Phones, make sure to read the doc on what public CA root certs are uploaded on the devices

best,

K

Alok Jaiswal · ‎05-14-2017

Hi Karen,

I would probably go for Godaddy certificate, I think they have the best deal i believe.

You can go for a UCC certificate and then include all the FQDN as SAN's in a single certificate.

They have options for 5 SAN or 10 SAN's excluding the CN of the certificate which basically means you can have in total 6 or 11 different FQDN's.

We recommend this to all our customer.

It is also supported by the devices registering over MRA for e.g. 7800 or 8800.

Regards,

Alok