To Dennis' point you don't have to put DNS=mycollab.com in the SAN. There is an alternative to use DNS=collab-edge.mycollab.com
http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-5/Mobile-Remote-Access-via-Expressway-Deployment-Guide-X8-5.pdf [image: Inline image 1] On Wed, Jul 15, 2015 at 2:16 PM, Heim, Dennis <dennis.h...@wwt.com> wrote: > If you have not seen the Cisco Live session on collab security I would > definitely recommend it. It had some good discussion on certificates. Based > on that Wildcard certs will never be supported on CUCM and the like and are > frowned upon within the security community. > > > > *Dennis Heim | Emerging Technology Architect (Collaboration)* > > World Wide Technology, Inc. | +1 314-212-1814 > > [image: twitter] <https://twitter.com/CollabSensei> > > [image: chat][image: Phone] <+13142121814>[image: video] > > “There is a fine line between Wrong and Visionary. Unfortunately, you have > to be a visionary to see it." – Sheldon Cooper > > > > Click here to join me in my Collaboration Meeting Room > <https://wwt.webex.com/meet/dennis.heim> > > > > *From:* Eric Pedersen [mailto:peders...@bennettjones.com] > *Sent:* Wednesday, July 15, 2015 12:51 PM > *To:* Anthony Holloway; Heim, Dennis; Ian Anderson; NateCCIE; Cisco VOIP > *Subject:* RE: [cisco-voip] Digicert Wildcard certificates > > > > Good point. I spoke too soon: we use wildcard certificates on VCS-E and > WebEx Meeting Server only. IIRC VCS officially doesn’t support wildcard > certificates either but everything seems to work provided the hostnames are > configured as SANs. CUCM might be the same with the multi-server > certificate but I haven’t tried. > > > > *From:* Anthony Holloway [mailto:avholloway+cisco-v...@gmail.com > <avholloway+cisco-v...@gmail.com>] > *Sent:* 15 July 2015 10:43 AM > *To:* Eric Pedersen; Heim, Dennis; Ian Anderson; NateCCIE; Cisco VOIP > *Subject:* Re: [cisco-voip] Digicert Wildcard certificates > > > > I'm a little confused here. According to this article: > http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-callmanager/115957-high-level-view-ca-00.html#wildcard, > and this defect ID: https://tools.cisco.com/bugsearch/bug/CSCta14114/, > wild card certs are not supported. Are we talking about the same thing > here? > > > > On Wed, Jul 15, 2015 at 10:08 AM Eric Pedersen <peders...@bennettjones.com> > wrote: > > Digicert lets you put your domain and subdomains of any level as SANs. > It’s great! They even generated a duplicate certificate for me with a > different root CA that was supported with WebEx enabled Telepresence. We > use their wildcard certificates on all of our UC servers. > > > > *From:* cisco-voip [mailto:cisco-voip-boun...@puck.nether.net] *On Behalf > Of *Heim, Dennis > *Sent:* 15 July 2015 8:28 AM > *To:* Ian Anderson; NateCCIE; Cisco VOIP > > > *Subject:* Re: [cisco-voip] Digicert Wildcard certificates > > > > I’ve found the hardest thing to find a cert providers that likes putting > the domain as a san such as DNS=mycollab.com. Has anyone found any > providers that are kosher with that? From one of the Cisco Live sessions, I > was told this is needed for service discovery to function properly. > > > > *Dennis Heim | Emerging Technology Architect (Collaboration)* > > World Wide Technology, Inc. | +1 314-212-1814 > > [image: twitter] <https://twitter.com/CollabSensei> > > [image: chat][image: Phone] <+13142121814>[image: video] > > “There is a fine line between Wrong and Visionary. Unfortunately, you have > to be a visionary to see it." – Sheldon Cooper > > > > Click here to join me in my Collaboration Meeting Room > <https://wwt.webex.com/meet/dennis.heim> > > > > *From:* cisco-voip [mailto:cisco-voip-boun...@puck.nether.net > <cisco-voip-boun...@puck.nether.net>] *On Behalf Of *Ian Anderson > > > *Sent:* Wednesday, July 15, 2015 10:18 AM > *To:* NateCCIE; Cisco VOIP > *Subject:* Re: [cisco-voip] Digicert Wildcard certificates > > > > > > On 15 July 2015 at 15:02, NateCCIE <natec...@gmail.com> wrote: > > Did you put all of your SANs in the digicert page? > > z > > I have this working on all of my expressway installs. > > Hi Nate, > > > > Thanks for the quick response, just for preservation in the archives for > future posterity and confirmation that digicert seems fine despite the > warnings in the manuals, it seemed I was running into 2 separate issues. > > > > 1) I had uploaded the intermediate cert, but needed to manually download > and upload the root CA > > 2) That then got me past the TLS error, only to find that I had > fat-fingered the hostname in the SAN field :-( > > > > Cheers > > > > Ian > > > > The contents of this message may contain confidential and/or privileged > subject matter. If this message has been received in error, please contact > the sender and delete all copies. Like other forms of communication, e-mail > communications may be vulnerable to interception by unauthorized parties. > If you do not wish us to communicate with you by e-mail, please notify us > at your earliest convenience. In the absence of such notification, your > consent is assumed. Should you choose to allow us to communicate by e-mail, > we will not take any additional security measures (such as encryption) > unless specifically requested. > > If you no longer wish to receive commercial messages, you can unsubscribe > by accessing this link: http://www.bennettjones.com/unsubscribe > > _______________________________________________ > cisco-voip mailing list > cisco-voip@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-voip > > > > The contents of this message may contain confidential and/or privileged > subject matter. If this message has been received in error, please contact > the sender and delete all copies. Like other forms of communication, e-mail > communications may be vulnerable to interception by unauthorized parties. > If you do not wish us to communicate with you by e-mail, please notify us > at your earliest convenience. In the absence of such notification, your > consent is assumed. Should you choose to allow us to communicate by e-mail, > we will not take any additional security measures (such as encryption) > unless specifically requested. > > If you no longer wish to receive commercial messages, you can unsubscribe > by accessing this link: http://www.bennettjones.com/unsubscribe > > _______________________________________________ > cisco-voip mailing list > cisco-voip@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-voip > >
_______________________________________________ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip