cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
898
Views
15
Helpful
6
Replies

Clustered Expressway Edge using FQDN of Cluster as Common Name in CSR

nexth0pself
Level 1
Level 1

Hi all,

 

Kindly need your help

currently, I have set up clustered expressway edge for Jabber MRA as below

 

cluster1.domain.com

  • edge1.domain.com
  • edge2.domain.com
  • edge3.domain.com

 

My question is

  1. If I use FQDN of Cluster as Common Name do I need to generate the certificate on each expressway edge node?
  2. Whether the CSR will look like as table below?
Expressway EdgeCommon NameSAN
This CSR generated on edge1.domain.comcluster1.domain.com

edge1.domain.com

edge2.domain.com

edge3.domain.com

collab-edge.domain.com

cluster1.domain.com

This CSR generated on edge2.domain.comcluster1.domain.com

edge1.domain.com

edge2.domain.com

edge3.domain.com

collab-edge.domain.com

cluster1.domain.com

This CSR generated on edge3.domain.comcluster1.domain.com

edge1.domain.com

edge2.domain.com

edge3.domain.com

collab-edge.domain.com

cluster1.domain.com

Best Regards,

Nanda Nurhadyan
6 Replies 6

I would say that you would only need to generate the certificate on the master node in your cluster with the content of the SAN as you have in your list. Then you’d upload it to each cluster node with root CA certs.



Response Signature


The above will  be the best option.

 

you can also refer the below link.

 

https://video.cisco.com/video/5809964179001



Response Signature


Looking for your help Nithin- in the process of building clusters EXP-C/E where all nodes are still standalone. According to the cisco official video above, CN is the FQDN of the expressway while the documentation says the CN should be the FQDN of the cluster. Please advise. 

If the Expressway is not clustered:

Subject Common Name = FQDN of Expressway

Subject Alternate Names = leave blank*

If the Expressway is clustered, with individual certificates per Expressway:

Subject Common Name = FQDN of cluster

Subject Alternate Name = FQDN of Expressway peer, FQDN of cluster*

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/expressway/config_guide/X12-5/exwy_b_certificate-creation-use-deployment-guide/exwy_b_certificate-creation-use-deployment-guide_chapter_01.html
Thanks. 

Austin

Hi Roger, 

 

So I just need to generate the CSR from master node and upload on each node in the cluster that should work? 

 

Because I worried that the private key from each node is different then if I only generate CSR from master node and get sign from Public CA, when I upload on each node in the cluster it will not work because the private key is different each nodes.

 

Best Regards,

Nanda Nurhadyan

You can copy the private key from the first sever and use it in the reaming.

 

follow the below steps to copy the private key from primary.

  • login as root.
  • go to /tandberg/persistent/certs
  • cat privkey.pem
  • copy the content and save it as private.pem

you can learn more about from the below link.

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/expressway/config_guide/X12-6/exwy_b_certificate-creation-use-deployment-guide/exwy_b_certificate-creation-use-deployment-guide_chapter_0110.html

 

 

Load a Server Certificate and Private Key Onto Expressway

The Expressway’s server certificate is used to identify the Expressway when it communicates with client systems using TLS encryption, and with web browsers over HTTPS.

As well as these instructions, a video demonstration of the process provided by Cisco TAC engineers is available on the Expressway/VCS Screencast Video List page.

To upload a server certificate:

  1. Go to Maintenance > Security > Server certificate.

  2. Use the Browse button in the Upload new certificate section to select and upload the server certificate PEM file.

  3. If you used an external system to generate the Certificate Signing Request (CSR) you must also upload the server private key PEM file that was used to encrypt the server certificate. (The private key file will have been automatically generated and stored earlier if the Expressway was used to produce the CSR for this server certificate.)

    • The server private key PEM file must not be password protected.

    • You cannot upload a server private key if a certificate signing request is in progress.

  4. Click Upload server certificate data.

    • When you generate a CSR in X7, the application puts csr.pem and privkey_csr.pem into /tandberg/persistent/certs.

    • When you generate a CSR in X8, the application puts csr.pem and privkey.pem into /tandberg/persistent/certs/generated_csr.

If you want to upgrade from X7 and have an unsubmitted CSR, then we recommend you to discard the CSR before upgrade, and then regenerate the CSR after upgrade.

server certificate image

 

 

 



Response Signature


Great answer @Nithin Eluvathingal (+5)



Response Signature


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: