cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

4029
Views
0
Helpful
9
Replies
Beginner

The Expressway-E cannot verify the CA XXX which signed the Expressway-C's certificate

Hi,

i implemented MRA with Expressway-E and C and followed the cisco guides

I did a "Secure traversal test" and i got the follwing errors

 

The Expressway-E cannot verify the CA 'XXX', which signed the Expressway-C's certificate

Check that this CA is in the Expressway-E's trusted CA list.

 

The fact is, that the CA is definitively installed on expressway e, what went wrong?

Thanks for help

 

9 REPLIES 9
Hall of Fame Cisco Employee

Are you using public CA, or

Are you using public CA, or private CA certs??

Did you test the cert using the EXP feature for that?? can't recall the name of the option

You can try deleting, uploading, and rebooting the box.

Did you upload the CRL??

HTH

java

if this helps, please rate
Beginner

for expressway-c is use

for expressway-c i use private, for expressway e public.

 

Hall of Fame Cisco Employee

OK, what about the rest of

OK, what about the rest of the questions????

HTH

java

if this helps, please rate
Highlighted
Beginner

the CRL for the internal CA

the CRL for the internal CA is not required.

It was simpler, the full root cert chain was not uploaded, only one cert of the complete chain was installed.

Beginner

HiI have the same problem.any

Hi

I have the same problem.

any solution?

 

Thanks

Beginner

Yes, it is resolved. In order

Yes, it is resolved.

 

In order for the Expressway-E to accept connections from the Expressway-C, it needed the certificate chain for the Internal CA that issued the certificate to the Expressway-C.  In my case, the issuing CA had it's certificate issued by an intermediate CA, which had its certificate issued by a root CA.  I had to install the certificates of all three internal CA hosts into the Expressway-E server before it would accept the certificate issued to the Expressway-C.

 

Once I had installed the certificates of the issuing CA, Intermediate CA, and root CA, the TLS connection from Expressway-C to Expressway-E could be established.

 

 

Beginner

HiI do not understand what

Hi

I do not understand what you mean by the intermediate CA.

I create certificates with openssl based on the following documents

https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-5/Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X8-5.pdf

 

To develop MRA (mobile Remote Access) How many certificates are up altogether?

Expressway C:

1.- generate CSR

2.- download CSR

3.- Sent CSR to CA (openssl)

4.- upload signed certificates (.pem) (Maintanance – Security Certificates - Server certificate)

5.- Upload CA Certificate (Maintanance – Security Certificates – Trusted CA Certificates)

6.- restart

 

Expressway E:

1.- generate CSR

2.- download CSR

3.- Sent CSR to CA (openssl)

4.- upload signed certificates (.pem) (Maintanance – Security Certificates - Server certificate)

5.-Upload CA Certificate (Maintanance – Security Certificates – Trusted CA Certificates)

6.- restart

 

Download the tomcat certificates CUCM and CUPS and then went up to the expressway's (C and E)

 

these certificates I have the same error.

SIP: Failed to connect to X.X.X.X:7001 : TLS negotiation failure (X.X.X.X = ip address)

Check the certificates for the traversal connection

Secure traversal test

FQDN of Expressway-E: expreswayE.example.com

TLS verify name of this Expressway-C (as it appears on the Expressway-E): expresway

c.example.com

Results:

DescriptionThe Expressway-E cannot verify the CA 'expresswayC.example.com', which signed the Expressway-C's certificate
Action

Check that this CA is in the Expressway-E's trusted CA list.

 

missing more certificates ??

Regards.

 

Beginner

I can't say for sure because

I can't say for sure because I didn't use openssl. 

I used an Microsoft CA.

Within the Microsoft CA topology, a issuing CA may be authorized by an Intermediate CA and/or a Root CA.  So, if I generate the cert from a CA that has an intermediate and root CA, then I needed to include certificates from those servers as well since they are part of the CA chain.

Hi,

Hi,

do you remember how you solved this ?

I have a similar issue but in my case I used Windows to sign the certificate and there is no IntermediateCA involved. The Root is installed on ExpC and ExpE but the verification fails. I also verified the same using OpenSSL service on ExpC:

openssl verify -verbose -CAfile CA.pem CERT.pem

error 20 at 0 depth lookup:unable to get local issuer certificate

When I look at the certificate, the issued-by filed contains the correct name. Is there a way to verify the issuer against the serialnumber of the CA?

I only use internal certificates for testing-purpose

Regards

Jerome

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here