Question on Expressway Clustering?

devils_advocate · ‎01-25-2016

Hi

We are looking to implement expressway clustering and I have read the line below (from the guide) several times and I still can't figure it out:

"This is achieved by including in the subject alternative names of the Expressway-C certificate the FQDNs of the Expressway-C cluster nodes and by setting the TLS verify subject name equal to the FQDN of the Expressway-C cluster"

I think they are trying to say that I need to generate a certificate for each Exp-C cluster node and include in the SAN, the Exp-C cluster name?

So I create a cert for Exp-C-Node-1 and in this cert I have a SAN entry for exp-c-cluster-1.domain.com.

Right?

I then use the FQDN of the cluster in the Exp-E TLS verify subject name and this will work because the Cert the Exp-E receives from the Exp-C will include this FQDN in its SAN?

Ta

Jaime Valencia · ‎01-25-2016

If you go to your server and try to generate the CSR, I'm guessing this will be a lot clearer to you, once you see the options in there.

HTH

java

if this helps, please rate

shawnangelo · ‎01-25-2016

When you generate the CSR you will have a dropdown option that gives you the option of local FQDN or cluter and peers FQDNs (or something worded like that). Create your cluster first and add/verify all peer connections prior to generating the CSR.

Also, for more information check out the Certificate Generation Guide for VCS/Expressway on cisco.com. It is a good resource for this and explains it in more detail.