Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7739
Views
60
Helpful
16
Replies

Wildcard certificate on call manager 10.5

Go to solution
azeez.raheem1
Level 1
Level 1

‎10-13-2015 09:26 AM - edited ‎03-19-2019 10:12 AM

Hello

Can you please assist with the correct answer to the following question

Can one use a wildcard certificate on call manager 10.5?

many thanks,

Azeez

1 person had this problem
Labels:
0 Helpful
16 Replies 16

Go to solution
jdiegmueller
Level 5
Level 5
In response to Jason Watts

‎02-08-2016 08:27 AM

Some comments:

GENERAL
* The environment I outlined performing this process on (above) is still happily chugging away a tick over 3 weeks later. Haven't run across anything that isn't working like I'd expect.
* Looks like everything you outline is what I did with a few small exceptions: Did not generate CallManager or cup-xmpp-s2s certificates (comments on this below).

CALLMANAGER
* I have not yet experimented with CA-signing the CallManager or CAPF certificate(s) using this process. I believe that will have implications on the ITL (or, if in mixed mode, CTL) process. If your goal is simply to eliminate certificate warnings, my testing has shown that CA-signing the CallManager certificate is not required and I'd probably suggest leaving it be.

CUPS
* I found that Jabber does not do the additional "is the XMPP domain listed as a SAN in the cup-xmpp certificate?" check on the internal cup-xmpp certificate, but rather, only on the Expressway-E certificate. That said, the Digicert wildcard process is going to include *.domain.com and domain.com as SAN domains regardless, so your cup-xmpp certificates will include that anyway. I tested this extensively as many of our customers have multiple presence domains (ie, domain.com, sub1.domain.com, sub2.domain.com, differentdomain.com, sub1.differentdomain.com) which of course can't be included in the Digitcert wildcard certificate which only covers a single domain.
* The cup-xmpp-s2s certificate only plays a role if you're running the "Cisco XCP XMPP Federation Connection Manager" service. If you're using Expressway for XMPP federation, it's highly likely this service is not activated. In short, you probably don't need this certificate, since most deployments these days use Expressway for XMPP federation.

For each service, you will need to load the trusted CA certificates first (ie, you can load a Digicert-signed tomcat certificate until you have the Digicert CA certificates loaded in to tomcat-trust). You would then restart the appropriate service as you point out. For CUPS it might be easier to just reboot the whole box once you've loaded the Digicert certificate(s).

-jd

Go to solution
Jason Watts
Level 1
Level 1
In response to jdiegmueller

‎02-08-2016 08:31 AM

Thanks for another thorough and illuminating reply. Not messing with the Callmanager certs is a big relief. I had a feeling there was no real reason to be messing with those just to eliminate warnings on the user end.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents