Solved: For TLS it will depend on if

dan hale · ‎09-30-2015

Hi All, I've read thru the Unified Communications Mobile and Remote Access via Cisco Expressway and I have a few questions on installing certificates.

Currently we have one Expressway C internally and Expressway E in our DMZ. My questions are and please correct me if I'm wrong:

1. The expressway C can have its certificate signed by an internal CA?

2. The expressway E needs to have it certificate signed by an external CA?

3. Are the above the only certificates that I need to install on expressway-c and expressway-e

4. If I plan to install another Expressway C server in the near future for redundancy will I need to re-issue these certificates of will I just need to generate a CSR for the new Expressway-C and have it signed by a CA?

5. In the Unified Communications Mobile and Remote Access via Cisco Expressway guide it talks about:

"The two Cisco Unified Communications Manager certificates that are significant for Mobile and Remote
Access are the CallManagercertificate and the tomcat certificate.

Do I need to import the call manager certificate and Tomcat into expressway?

Thanks,

Daniel

Manish Gogna · ‎09-30-2015

Hi Daniel,

I will try to answer a few of them. The answer to the first two queries is yes.

- Exp-C creates a CSR request under (VCS > Maintenance > Security Certificates > Server certificate). This is a request to get their own server cert signed by someone. This is then sent to the CA of choice (i.e. Internal CA). Internal Root CA will sign the “Server” cert of Exp-C and it will be installed back on Exp-C under (VCS > Maintenance > Security Certificates > Server certificate)

- Exp-E creates a CSR request under (VCS > Maintenance > Security Certificates > Server certificate). This is a request to get their own server cert signed by someone. This is then sent to the CA of choice (i.e. Public). Public Root CA will sign the “Server” cert of Exp-E and it will be installed back on Exp-E under (VCS > Maintenance > Security Certificates > Server certificate)

- A copy of the Internal Root CA will need to be obtained and installed on VCSe under (VCS > Maintenance > Security Certificates > Trusted CA certificates)

- A copy of the Public Root CA will need to be obtained and installed on VCSc under (VCS > Maintenance > Security Certificates > Trusted CA certificates)

Additionally, If you are not doing TLS for discovery of CUCM then you do not need to upload the Certs between the Exp-C and CUCM, specifically the self-#signed certificate of the CUCM(Tomcat) to Exp-C or the Root CA Certificate of the Exp-C to the tomcat-trust list.

Manish

- Do rate helpful posts -

View solution in original post

Manish Gogna · ‎09-30-2015

Hi Daniel,

I will try to answer a few of them. The answer to the first two queries is yes.

- Exp-C creates a CSR request under (VCS > Maintenance > Security Certificates > Server certificate). This is a request to get their own server cert signed by someone. This is then sent to the CA of choice (i.e. Internal CA). Internal Root CA will sign the “Server” cert of Exp-C and it will be installed back on Exp-C under (VCS > Maintenance > Security Certificates > Server certificate)

- Exp-E creates a CSR request under (VCS > Maintenance > Security Certificates > Server certificate). This is a request to get their own server cert signed by someone. This is then sent to the CA of choice (i.e. Public). Public Root CA will sign the “Server” cert of Exp-E and it will be installed back on Exp-E under (VCS > Maintenance > Security Certificates > Server certificate)

- A copy of the Internal Root CA will need to be obtained and installed on VCSe under (VCS > Maintenance > Security Certificates > Trusted CA certificates)

- A copy of the Public Root CA will need to be obtained and installed on VCSc under (VCS > Maintenance > Security Certificates > Trusted CA certificates)

Additionally, If you are not doing TLS for discovery of CUCM then you do not need to upload the Certs between the Exp-C and CUCM, specifically the self-#signed certificate of the CUCM(Tomcat) to Exp-C or the Root CA Certificate of the Exp-C to the tomcat-trust list.

Manish

- Do rate helpful posts -

dan hale · ‎10-06-2015

Thank you Manish, a couple of other question...we are trying to use TLS for Discovery of CUCM you mentioned loading the self-signed certificate of the CUCM tomcat....is that the tomcat-trust or just tomcat cert.

Also we are planning to have a CA internal sign CUCM so that we do not have to the error when loading the https web pages in CUCM. Should I wait until I have a CA sign that then load the CA signed or is the self-signed cert good enough.

Do I need to do this same process for IM and Presence...out ultimate goal is to do an MRA deployment.

Thanks,

Daniel

shawnangelo · ‎10-07-2015

For TLS it will depend on if you are using self signed or signed certs. If you have an internal CA, it makes things a bit easier as you can put the root CA on every server and not have to bother with installing server certificates into the trust store. (you will obviously still need to install the server certs on each server).

For slef-signed Certificates the exp-c will need the CUCM tomcat server cert installed on expc trust store and the CUCM callmanager server cert installed on expc trust store.

Important note, the callmanager and tomcat certs cannot have the same CN as TLS SIP communications will fail if they do. Check page 46 below.

http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/admin_guide/Cisco-Expressway-Administrator-Guide-X8-6.pdf

csrlima · ‎07-25-2017

Hi ,

so in case of MRA , we need to publish _collab-ege._tls for discovery . Is this the case you said that is needed certificates between CUCM and EXP C ? Is a must to have CA external for EXP E? or just need to have tls between external jabber and internal phones or internal jabbers?

Best Regards

VCsupport17 · ‎09-01-2016

Hi Manish,

We are planning to deploy MRA and have few questions regarding certificate requirements for both Expressway-C and Expressway-E.

Here are the procedures we have done:

1. Generate CSR on Expressway Core and Expressway Edge and download the CSR file for internal CA signing. We used Microsoft AD as our internal CA. For testing purposes both CSR were signed by internal CA. But for MRA the Expressway Edge CSR should be signed by public CA. But as of now we will test if internal CA signed certificates will work for both Expressways.

2. After authorizing the certificate we uploaded the signed certificate to both Expressways.

My question is how can we obtain copies of the internal root CA so we can upload it on the Expressway Core and Edge as Trusted CA certificates? The AD administrator just provided the two signed certificates.

Thank you.

christos.georgiadis · ‎10-10-2016

you double click on the signed certificate you received and you select the 'certification path' tab. Then select the root ca certificate (normally the topmost certificate) and click on 'view certificate' button. Then click on the Details tab and select the 'copy to file' button to export the root ca. If there is any intermediate you perform the same operation

Normally that should do it

csrlima · ‎07-25-2017

Hi , does it worked (MRA) with internal certificates only , or you DO NEED external CA for ExpresswayE?

Regards

Collaboration Edge MRA deployment with Certificate questions