No apologies – it’s always great to get a second opinion, even if it’s the same!
I think for the first time around, we’ll likely stick with the multi-san cert for CUCM/IMP and individual certs for the others. But we’ll definitely think about the duplicate multi-san cert in the future. --- Lelio Fulgenzi, B.A. | Senior Analyst Computing and Communications Services | University of Guelph Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1 519-824-4120 Ext. 56354 | [email protected]<mailto:[email protected]> www.uoguelph.ca/ccs<http://www.uoguelph.ca/ccs> | @UofGCCS on Instagram, Twitter and Facebook [University of Guelph Cornerstone with Improve Life tagline] From: Bill Talley <[email protected]> Sent: Thursday, June 28, 2018 11:40 AM To: Charles Goldsmith <[email protected]> Cc: Lelio Fulgenzi <[email protected]>; voyp list, cisco-voip ([email protected]) <[email protected]> Subject: Re: [cisco-voip] multi-SAN / server certificates vs individual certs (CUCM/IMP) Scrolling through my phone and inadvertently replied to Charles email when it popped up instead of Lelio’s. Sorry for duplicating what Charles said 🤪 Sent from an iOS device with very tiny touchscreen input keys. Please excude my typtos. On Jun 28, 2018, at 10:24 AM, Charles Goldsmith <[email protected]<mailto:[email protected]>> wrote: Generate a CSR from each server type (CUCM, CUC, UCCX, and each expressway) and load all hostnames into each server, including your cluster name of the expressway and the domain name. At Digicert, load your csr, make sure the Common name matches the CSR that the server came from. Once you have one cluster done, go back into the order and request duplicate, load your 2nd csr, check the common name and issue the duplicate. Rinse and repeat for all systems. Expressway clusters do not support multi-san, so just duplicate for each node. On Thu, Jun 28, 2018 at 10:17 AM Lelio Fulgenzi <[email protected]<mailto:[email protected]>> wrote: Wait. What? I understand how the internals of CUCM and IMP can distribute one multi-san cert (built on the publisher’s CSR) to each CUCM and IMP node and uses private keys to ensure they load, but…. How the heck do you install a cert that was built on the pub’s CSR into CUC and UCCx? Or Expressway for that matter? We are a digicert client, so if you have specific breadcrumbs / drop down options, feel free to share. Lelio --- Lelio Fulgenzi, B.A. | Senior Analyst Computing and Communications Services | University of Guelph Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1 519-824-4120 Ext. 56354<tel:(519)%20824-4120> | [email protected]<mailto:[email protected]> www.uoguelph.ca/ccs<http://www.uoguelph.ca/ccs> | @UofGCCS on Instagram, Twitter and Facebook [University of Guelph Cornerstone with Improve Life tagline] From: Charles Goldsmith <[email protected]<mailto:[email protected]>> Sent: Thursday, June 28, 2018 10:40 AM To: Lelio Fulgenzi <[email protected]<mailto:[email protected]>> Cc: voyp list, cisco-voip ([email protected]<mailto:[email protected]>) <[email protected]<mailto:[email protected]>> Subject: Re: [cisco-voip] multi-SAN / server certificates vs individual certs (CUCM/IMP) I've used multi-san certs on at least a dozen installs and have had no issues at all. In fact, with a good SSL provider, you can use the same Multi-SAN on CUCM, CUC, UCCX, Expressways. I like how Digicert does it, just duplicate the cert and make sure all of the hostnames are listed in the SAN. On Thu, Jun 28, 2018 at 9:37 AM Lelio Fulgenzi <[email protected]<mailto:[email protected]>> wrote: We're in the process of installing signed certs and we have the choice between multi-SAN cert with the publisher CSR and rely on the internals to have that cert distributed to the subs and the imp nodes -OR- go with individual certs. It's a last minute thing, so I still need to do some research, but I'm wondering what people have been doing out there. We're less concerned with cost than we are future stability. I know that this multi-san support is recent with v10.x - have they ironed out the bugs? We're going with 11.5. Thoughts? --- Lelio Fulgenzi, B.A. | Senior Analyst Computing and Communications Services | University of Guelph Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1 519-824-4120 Ext. 56354<tel:(519)%20824-4120> | [email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>> www.uoguelph.ca/ccs<http://www.uoguelph.ca/ccs><http://www.uoguelph.ca/ccs> | @UofGCCS on Instagram, Twitter and Facebook [University of Guelph Cornerstone with Improve Life tagline] _______________________________________________ cisco-voip mailing list [email protected]<mailto:[email protected]> https://puck.nether.net/mailman/listinfo/cisco-voip _______________________________________________ cisco-voip mailing list [email protected]<mailto:[email protected]> https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________ cisco-voip mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-voip
