cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3006
Views
55
Helpful
16
Replies
Contributor

Some comments:

Some comments:

GENERAL
* The environment I outlined performing this process on (above) is still happily chugging away a tick over 3 weeks later. Haven't run across anything that isn't working like I'd expect.
* Looks like everything you outline is what I did with a few small exceptions: Did not generate CallManager or cup-xmpp-s2s certificates (comments on this below).

CALLMANAGER
* I have not yet experimented with CA-signing the CallManager or CAPF certificate(s) using this process. I believe that will have implications on the ITL (or, if in mixed mode, CTL) process. If your goal is simply to eliminate certificate warnings, my testing has shown that CA-signing the CallManager certificate is not required and I'd probably suggest leaving it be.

CUPS
* I found that Jabber does not do the additional "is the XMPP domain listed as a SAN in the cup-xmpp certificate?" check on the internal cup-xmpp certificate, but rather, only on the Expressway-E certificate. That said, the Digicert wildcard process is going to include *.domain.com and domain.com as SAN domains regardless, so your cup-xmpp certificates will include that anyway. I tested this extensively as many of our customers have multiple presence domains (ie, domain.com, sub1.domain.com, sub2.domain.com, differentdomain.com, sub1.differentdomain.com) which of course can't be included in the Digitcert wildcard certificate which only covers a single domain.
* The cup-xmpp-s2s certificate only plays a role if you're running the "Cisco XCP XMPP Federation Connection Manager" service. If you're using Expressway for XMPP federation, it's highly likely this service is not activated. In short, you probably don't need this certificate, since most deployments these days use Expressway for XMPP federation.

For each service, you will need to load the trusted CA certificates first (ie, you can load a Digicert-signed tomcat certificate until you have the Digicert CA certificates loaded in to tomcat-trust). You would then restart the appropriate service as you point out. For CUPS it might be easier to just reboot the whole box once you've loaded the Digicert certificate(s).

-jd

Highlighted
Beginner

Thanks for another thorough

Thanks for another thorough and illuminating reply. Not messing with the Callmanager certs is a big relief. I had a feeling there was no real reason to be messing with those just to eliminate warnings on the user end.

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards