10-13-2015 09:26 AM - edited 03-19-2019 10:12 AM
Hello
Can you please assist with the correct answer to the following question
Can one use a wildcard certificate on call manager 10.5?
many thanks,
Azeez
Solved! Go to Solution.
02-08-2016 08:27 AM
Some comments:
GENERAL
* The environment I outlined performing this process on (above) is still happily chugging away a tick over 3 weeks later. Haven't run across anything that isn't working like I'd expect.
* Looks like everything you outline is what I did with a few small exceptions: Did not generate CallManager or cup-xmpp-s2s certificates (comments on this below).
CALLMANAGER
* I have not yet experimented with CA-signing the CallManager or CAPF certificate(s) using this process. I believe that will have implications on the ITL (or, if in mixed mode, CTL) process. If your goal is simply to eliminate certificate warnings, my testing has shown that CA-signing the CallManager certificate is not required and I'd probably suggest leaving it be.
CUPS
* I found that Jabber does not do the additional "is the XMPP domain listed as a SAN in the cup-xmpp certificate?" check on the internal cup-xmpp certificate, but rather, only on the Expressway-E certificate. That said, the Digicert wildcard process is going to include *.domain.com and domain.com as SAN domains regardless, so your cup-xmpp certificates will include that anyway. I tested this extensively as many of our customers have multiple presence domains (ie, domain.com, sub1.domain.com, sub2.domain.com, differentdomain.com, sub1.differentdomain.com) which of course can't be included in the Digitcert wildcard certificate which only covers a single domain.
* The cup-xmpp-s2s certificate only plays a role if you're running the "Cisco XCP XMPP Federation Connection Manager" service. If you're using Expressway for XMPP federation, it's highly likely this service is not activated. In short, you probably don't need this certificate, since most deployments these days use Expressway for XMPP federation.
For each service, you will need to load the trusted CA certificates first (ie, you can load a Digicert-signed tomcat certificate until you have the Digicert CA certificates loaded in to tomcat-trust). You would then restart the appropriate service as you point out. For CUPS it might be easier to just reboot the whole box once you've loaded the Digicert certificate(s).
-jd
02-08-2016 08:31 AM
Thanks for another thorough and illuminating reply. Not messing with the Callmanager certs is a big relief. I had a feeling there was no real reason to be messing with those just to eliminate warnings on the user end.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: