for expressway-c i use private, for expressway e public.

OK, what about the rest of the questions????

the CRL for the internal CA is not required.

It was simpler, the full root cert chain was not uploaded, only one cert of the complete chain was installed.

Hi

I have the same problem.

any solution?

Thanks

Yes, it is resolved.

In order for the Expressway-E to accept connections from the Expressway-C, it needed the certificate chain for the Internal CA that issued the certificate to the Expressway-C.  In my case, the issuing CA had it's certificate issued by an intermediate CA, which had its certificate issued by a root CA.  I had to install the certificates of all three internal CA hosts into the Expressway-E server before it would accept the certificate issued to the Expressway-C.

Once I had installed the certificates of the issuing CA, Intermediate CA, and root CA, the TLS connection from Expressway-C to Expressway-E could be established.

Hi

I do not understand what you mean by the intermediate CA.

I create certificates with openssl based on the following documents

https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-5/Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X8-5.pdf

To develop MRA (mobile Remote Access) How many certificates are up altogether?

Expressway C:

1.- generate CSR

2.- download CSR

3.- Sent CSR to CA (openssl)

4.- upload signed certificates (.pem) (Maintanance – Security Certificates - Server certificate)

5.- Upload CA Certificate (Maintanance – Security Certificates – Trusted CA Certificates)

6.- restart

Expressway E:

1.- generate CSR

2.- download CSR

3.- Sent CSR to CA (openssl)

4.- upload signed certificates (.pem) (Maintanance – Security Certificates - Server certificate)

5.-Upload CA Certificate (Maintanance – Security Certificates – Trusted CA Certificates)

6.- restart

Download the tomcat certificates CUCM and CUPS and then went up to the expressway's (C and E)

these certificates I have the same error.

SIP: Failed to connect to X.X.X.X:7001 : TLS negotiation failure (X.X.X.X = ip address)

Check the certificates for the traversal connection

Secure traversal test

FQDN of Expressway-E: expreswayE.example.com

TLS verify name of this Expressway-C (as it appears on the Expressway-E): expresway

c.example.com

Results:

missing more certificates ??

Regards.

I can't say for sure because I didn't use openssl. 

I used an Microsoft CA.

Within the Microsoft CA topology, a issuing CA may be authorized by an Intermediate CA and/or a Root CA.  So, if I generate the cert from a CA that has an intermediate and root CA, then I needed to include certificates from those servers as well since they are part of the CA chain.

Hi,

do you remember how you solved this ?

I have a similar issue but in my case I used Windows to sign the certificate and there is no IntermediateCA involved. The Root is installed on ExpC and ExpE but the verification fails. I also verified the same using OpenSSL service on ExpC:

openssl verify -verbose -CAfile CA.pem CERT.pem

error 20 at 0 depth lookup:unable to get local issuer certificate

When I look at the certificate, the issued-by filed contains the correct name. Is there a way to verify the issuer against the serialnumber of the CA?

I only use internal certificates for testing-purpose

Regards

Jerome