06-10-2015 02:09 PM - edited 03-19-2019 09:41 AM
Hi,
i implemented MRA with Expressway-E and C and followed the cisco guides
I did a "Secure traversal test" and i got the follwing errors
The Expressway-E cannot verify the CA 'XXX', which signed the Expressway-C's certificate
Check that this CA is in the Expressway-E's trusted CA list.
The fact is, that the CA is definitively installed on expressway e, what went wrong?
Thanks for help
06-10-2015 05:30 PM
Are you using public CA, or private CA certs??
Did you test the cert using the EXP feature for that?? can't recall the name of the option
You can try deleting, uploading, and rebooting the box.
Did you upload the CRL??
06-11-2015 12:41 AM
for expressway-c i use private, for expressway e public.
06-11-2015 07:07 AM
OK, what about the rest of the questions????
06-12-2015 01:58 AM
the CRL for the internal CA is not required.
It was simpler, the full root cert chain was not uploaded, only one cert of the complete chain was installed.
06-29-2015 09:13 AM
Hi
I have the same problem.
any solution?
Thanks
07-02-2015 05:43 AM
Yes, it is resolved.
In order for the Expressway-E to accept connections from the Expressway-C, it needed the certificate chain for the Internal CA that issued the certificate to the Expressway-C. In my case, the issuing CA had it's certificate issued by an intermediate CA, which had its certificate issued by a root CA. I had to install the certificates of all three internal CA hosts into the Expressway-E server before it would accept the certificate issued to the Expressway-C.
Once I had installed the certificates of the issuing CA, Intermediate CA, and root CA, the TLS connection from Expressway-C to Expressway-E could be established.
07-28-2015 03:58 PM
Hi
I do not understand what you mean by the intermediate CA.
I create certificates with openssl based on the following documents
https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-5/Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X8-5.pdf
To develop MRA (mobile Remote Access) How many certificates are up altogether?
Expressway C:
1.- generate CSR
2.- download CSR
3.- Sent CSR to CA (openssl)
4.- upload signed certificates (.pem) (Maintanance – Security Certificates - Server certificate)
5.- Upload CA Certificate (Maintanance – Security Certificates – Trusted CA Certificates)
6.- restart
Expressway E:
1.- generate CSR
2.- download CSR
3.- Sent CSR to CA (openssl)
4.- upload signed certificates (.pem) (Maintanance – Security Certificates - Server certificate)
5.-Upload CA Certificate (Maintanance – Security Certificates – Trusted CA Certificates)
6.- restart
Download the tomcat certificates CUCM and CUPS and then went up to the expressway's (C and E)
these certificates I have the same error.
SIP: Failed to connect to X.X.X.X:7001 : TLS negotiation failure (X.X.X.X = ip address)
Check the certificates for the traversal connection
Secure traversal test
FQDN of Expressway-E: expreswayE.example.com
TLS verify name of this Expressway-C (as it appears on the Expressway-E): expresway
c.example.com
Results:
Description | The Expressway-E cannot verify the CA 'expresswayC.example.com', which signed the Expressway-C's certificate |
Action | Check that this CA is in the Expressway-E's trusted CA list. |
missing more certificates ??
Regards.
08-18-2015 07:40 AM
I can't say for sure because I didn't use openssl.
I used an Microsoft CA.
Within the Microsoft CA topology, a issuing CA may be authorized by an Intermediate CA and/or a Root CA. So, if I generate the cert from a CA that has an intermediate and root CA, then I needed to include certificates from those servers as well since they are part of the CA chain.
01-09-2017 02:58 AM
Hi,
do you remember how you solved this ?
I have a similar issue but in my case I used Windows to sign the certificate and there is no IntermediateCA involved. The Root is installed on ExpC and ExpE but the verification fails. I also verified the same using OpenSSL service on ExpC:
openssl verify -verbose -CAfile CA.pem CERT.pem
error 20 at 0 depth lookup:unable to get local issuer certificate
When I look at the certificate, the issued-by filed contains the correct name. Is there a way to verify the issuer against the serialnumber of the CA?
I only use internal certificates for testing-purpose
Regards
Jerome
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide