I am on the eve of certificate renewal of expressway cluster x.8.9.1. They have public certificates. I have analyzed the existing certificate prior to generating new CSR. Those differ from how cisco guides explain. The guide mention:
If the Expressway is clustered, with individual certificates per Expressway:
Subject Common Name = FQDN of cluster
Subject Alternate Name = FQDN of VCS peer, FQDN of cluster*
But I see Subject common name is not cluster in the actual certificate which will be expired soon. It is FQDN of expressway.
In the existing certificate Issued to is expe01.domain.com
In new generated certificate Issued to is expe.domain.com, which is cluster name.
Can you clarify it more please? Can I be sure and install new certificate as in guide?
The new generated CSR makes sense to me. The Common Name should have the FQDN of the cluster, and the Alternate Subject Common Name should have the list of the Expressways. It is like you generate a Multi-Server certificate request in CUCM, it is the same.
About your old certificate, I can only guess and say that it was probably generated before the Expressways were clustered, but when it was a single server per pair.
Thank you for your comment. For the last statement, is it possible to install certificates thereafter add them into clusters? I mean, is there no need to renew certificates for clusters again?
You must do this process only after you make the 2 servers as cluster. Because only after you're clustering them together, when you make a new CSR, the CSR will contain the cluster name and 2 SAN's of the Expressway's FQDNs. That is if I understand correctly what you asked. :)
Have you gone back to checking this afterward?
I think the document is incorrect. I have a clustered Expressway and the certificate contains like below:
Subject Common Name = FQDN of Expressway (instead of Cluster)
Subject Alternate Name = FQDN of Expressway peer, FQDN of cluster, FQDN of Expressway