I second the DigiCert recommendation. They are unique in that they let you generate multiple server certificates (using multiple private keys) under the same multi-SAN cert order.
You just add all of the fqdns to the same certificate order (via the CSR) and when you generate the multiSAN CSR from each server (or cluster) you will add the fqdn of the other servers as alternative names. So when you generate a Unity Connection CSR, you will add the cucm nodes, CCX nodes, etc as alternative names. If you don’t do that, digicert will invalidate any previous signed certs under that order so make sure you include the same alternative names in every CSR. Every other provider we’ve reviewed requires you to either share the private keys (which Cisco UC servers don’t allow) or they make you order separate multi-SAN certs per cluster. Sent from an iOS device with very tiny touchscreen input keys. Please excude my typtos. > On Jun 28, 2018, at 10:24 AM, Charles Goldsmith <[email protected]> wrote: > > Generate a CSR from each server type (CUCM, CUC, UCCX, and each expressway) > and load all hostnames into each server, including your cluster name of the > expressway and the domain name. At Digicert, load your csr, make sure the > Common name matches the CSR that the server came from. Once you have one > cluster done, go back into the order and request duplicate, load your 2nd > csr, check the common name and issue the duplicate. Rinse and repeat for all > systems. > > Expressway clusters do not support multi-san, so just duplicate for each node. > >> On Thu, Jun 28, 2018 at 10:17 AM Lelio Fulgenzi <[email protected]> wrote: >> Wait. What? I understand how the internals of CUCM and IMP can distribute >> one multi-san cert (built on the publisher’s CSR) to each CUCM and IMP node >> and uses private keys to ensure they load, but…. >> >> >> >> How the heck do you install a cert that was built on the pub’s CSR into CUC >> and UCCx? Or Expressway for that matter? >> >> >> >> We are a digicert client, so if you have specific breadcrumbs / drop down >> options, feel free to share. >> >> >> >> Lelio >> >> >> >> >> >> >> >> --- >> >> Lelio Fulgenzi, B.A. | Senior Analyst >> >> Computing and Communications Services | University of Guelph >> >> Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G >> 2W1 >> >> 519-824-4120 Ext. 56354 | [email protected] >> >> >> >> www.uoguelph.ca/ccs | @UofGCCS on Instagram, Twitter and Facebook >> >> >> >> >> >> >> >> From: Charles Goldsmith <[email protected]> >> Sent: Thursday, June 28, 2018 10:40 AM >> To: Lelio Fulgenzi <[email protected]> >> Cc: voyp list, cisco-voip ([email protected]) >> <[email protected]> >> Subject: Re: [cisco-voip] multi-SAN / server certificates vs individual >> certs (CUCM/IMP) >> >> >> >> I've used multi-san certs on at least a dozen installs and have had no >> issues at all. In fact, with a good SSL provider, you can use the same >> Multi-SAN on CUCM, CUC, UCCX, Expressways. I like how Digicert does it, >> just duplicate the cert and make sure all of the hostnames are listed in >> the SAN. >> >> >> >> >> >> On Thu, Jun 28, 2018 at 9:37 AM Lelio Fulgenzi <[email protected]> wrote: >> >> >> We're in the process of installing signed certs and we have the choice >> between multi-SAN cert with the publisher CSR and rely on the internals to >> have that cert distributed to the subs and the imp nodes -OR- go with >> individual certs. >> >> It's a last minute thing, so I still need to do some research, but I'm >> wondering what people have been doing out there. We're less concerned with >> cost than we are future stability. I know that this multi-san support is >> recent with v10.x - have they ironed out the bugs? We're going with 11.5. >> >> Thoughts? >> >> >> --- >> Lelio Fulgenzi, B.A. | Senior Analyst >> Computing and Communications Services | University of Guelph >> Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G >> 2W1 >> 519-824-4120 Ext. 56354 | [email protected]<mailto:[email protected]> >> >> www.uoguelph.ca/ccs<http://www.uoguelph.ca/ccs> | @UofGCCS on Instagram, >> Twitter and Facebook >> >> [University of Guelph Cornerstone with Improve Life tagline] >> >> _______________________________________________ >> cisco-voip mailing list >> [email protected] >> https://puck.nether.net/mailman/listinfo/cisco-voip >> > _______________________________________________ > cisco-voip mailing list > [email protected] > https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________ cisco-voip mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-voip
