Thanks Dennis,
Appreciate your detail explanation.
So you mean i should perform both steps i.e on expressway C and E for traversal
zone communication & on Internal server for tomcat and xmpp too.
My CUCM version is 10.5.2.10000-5 for multi san support.
Also there were few comments that godaddy certificate not compatible with UC
application.
So the CN must be "cucm01.domain.com" only when public CA sends the output for
the CSR.
Regards,Raaj. From: "Heim, Dennis" <dennis.h...@wwt.com>
To: Rajkumar Yadav <rajkumarya...@y7mail.com>; "cisco-voip@puck.nether.net"
<cisco-voip@puck.nether.net>
Sent: Friday, 20 March 2015, 16:23
Subject: RE: [cisco-voip] Expressway certificate advice required.
#yiv0374023700 #yiv0374023700 -- _filtered #yiv0374023700
{font-family:Helvetica;panose-1:2 11 6 4 2 2 2 2 2 4;} _filtered #yiv0374023700
{font-family:Wingdings;panose-1:5 0 0 0 0 0 0 0 0 0;} _filtered #yiv0374023700
{panose-1:2 4 5 3 5 4 6 3 2 4;} _filtered #yiv0374023700
{font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;} _filtered #yiv0374023700
{panose-1:0 0 0 0 0 0 0 0 0 0;}#yiv0374023700 #yiv0374023700
p.yiv0374023700MsoNormal, #yiv0374023700 li.yiv0374023700MsoNormal,
#yiv0374023700 div.yiv0374023700MsoNormal
{margin:0in;margin-bottom:.0001pt;font-size:12.0pt;}#yiv0374023700 a:link,
#yiv0374023700 span.yiv0374023700MsoHyperlink
{color:#0563C1;text-decoration:underline;}#yiv0374023700 a:visited,
#yiv0374023700 span.yiv0374023700MsoHyperlinkFollowed
{color:#954F72;text-decoration:underline;}#yiv0374023700
p.yiv0374023700MsoListParagraph, #yiv0374023700
li.yiv0374023700MsoListParagraph, #yiv0374023700
div.yiv0374023700MsoListParagraph
{margin-top:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;font-size:12.0pt;}#yiv0374023700
span.yiv0374023700EmailStyle17 {color:#1F497D;}#yiv0374023700
.yiv0374023700MsoChpDefault {font-size:10.0pt;} _filtered #yiv0374023700
{margin:1.0in 1.0in 1.0in 1.0in;}#yiv0374023700 div.yiv0374023700WordSection1
{}#yiv0374023700 _filtered #yiv0374023700 {} _filtered #yiv0374023700
{font-family:Symbol;} _filtered #yiv0374023700 {} _filtered #yiv0374023700
{font-family:Wingdings;} _filtered #yiv0374023700 {font-family:Symbol;}
_filtered #yiv0374023700 {} _filtered #yiv0374023700 {font-family:Wingdings;}
_filtered #yiv0374023700 {font-family:Symbol;} _filtered #yiv0374023700 {}
_filtered #yiv0374023700 {font-family:Wingdings;}#yiv0374023700 ol
{margin-bottom:0in;}#yiv0374023700 ul {margin-bottom:0in;}#yiv0374023700
Traditionally, you put the public Certificate on the Expressway-E. This
would traditionally contain SANs such as: DNS:Expe.domain.com DNS:domain.com
DNS: conference-2-CUPSCluster1.domain.com If you are doing security you
would have the secure profile names in there, and I believe persistent chat has
some implications too. On the expressway-C you would have certificates
signed by your enterprise CA. Expressway-C and Expressway-E must be able to
chain each other’s certificates so that the SIP/TLS can be established on the
Unified Communication zone – aka trust chains must loaded. Enterprise
certificates are traditionally installed on your internal servers such as
tomcat, etc. If using MultiSAN you must be on 10.5(2)SU2, because prior
versions had a bug where the phones would reset every 7 minutes. For your
internal certificates when possible I have the following SANs inserted
(depending on competency and give a crap factor of the security team:
DNS:<Hostname> DNS:<FQDN> DNS:<IP-Address> IP:<IP-Address> Remember that
from a certificate warning perspective, the service such as CUPS presents the
client certificate and it is up to the operating system to before the
validation. All devices internally will need to trust your enterprise CA. If
you have mobile devices registering internally, they will need to have the
Enterprise CA installed. If you don’t have a BYOD/MDM solution, it may be
easier to bite the bullet and get public certificates for your entire UC
enterprise if that is important to you. A couple of notes when generating
your Certificates off your enterprise CA: · Make sure the certificate
template you are using is set for Client AND Server Authentication ·
Make sure you are published certificate revocation lists (CRL/OCSP/AIA), that
is accessible to all of your clients.. wherever they are. If you are using a
Windows CA, by default it just published into LDAP/AD. This is a problem when
clients are external, or not joined to the domain. The solution is to publisher
to a directory on your CA and share that location via HTTP/HTTPS. Hope this
helps Dennis Heim | Emerging Technology Architect (Collaboration) World
Wide Technology, Inc. | +1 314-212-1814 "Innovation happens on project
squared" --http://www.projectsquared.com Click here to join me in my
Collaboration Meeting Room
From: cisco-voip [mailto:cisco-voip-boun...@puck.nether.net]On Behalf Of
Rajkumar Yadav
Sent: Friday, March 20, 2015 4:58 AM
To: cisco-voip@puck.nether.net
Subject: [cisco-voip] Expressway certificate advice required. Hi, Need
few clarification for the Expressway MRA and certificate. we have bought
Multi san certificate from Go Daddy for UC applications. Step 1: If the
certificate management part is done on the CUCM publisher for Tomcat with Multi
San capabilities it would include the FQDN of all CUCM ( Pub & Sub), CUC, Im &
Presence and domain.com. Also i have to repeat the step for the Im & Presence
server with Cup XMPP. Step2: Now if I'm doing the expressway (MRA)
certificate management for traversal zone with Multi San capabilities, then
will it include all the above FQDN and is it i don't have to perform step 1.
If i don't perform step 1, will it Jabber clients will not throw error for
certificate acceptance (both inside and outside). Please confirm is it both
need to be done or just step 2 is enough ? Regards, Raaj.
_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
