I agree with all of potential solutions. I’ve just come across a few isolated scenarios were we had to have the EXPC cert signed by a public CA since there were no alternatives (right, wrong or indifferent) and Let’s Encrypt isn’t available for the EXPC nodes (at least not using automated renewal).
Sent from an iPhone mobile device with very tiny touchscreen input keys. Please excude my typtos. > On Apr 17, 2020, at 4:27 PM, Anthony Holloway > <avholloway+cisco-v...@gmail.com> wrote: > > > Well, that depends. And let me just ask, why did they do it this way? If it > was even a self-signed cert, we could atleast import it to E, but it's not > even that. It's some invalid bogus cert in there. Why? > > I have seen the following: > > 1. publicly sign it (name cheap has dirt cheap certs) > 2. get a private ca installed because just like you need a network, a server, > licensing, phones, an internet connection, etc. it's apart of the solution > 3. sign it yourself with any ca you want to include the one running on your > home computer, and just don't tell anyone what you did because you setup it > for > 34 years and it wont matter by then anyway (ok, just kidding here...or am I?) > >> On Fri, Apr 17, 2020 at 3:55 PM Bill Talley <btal...@gmail.com> wrote: >> Great info Anthony, thanks. >> >> Question, what do you do for Expressway Core if you don’t have an internal >> CA to sign the EXPC (meaning no internal root cert to upload to EXPE to >> establish the traversal zone trust)? >> >> Sent from an iPhone mobile device with very tiny touchscreen input keys. >> Please excude my typtos. >> >>>> On Apr 17, 2020, at 3:25 PM, Anthony Holloway >>>> <avholloway+cisco-v...@gmail.com> wrote: >>>> >>> >>> This might be an unpopular opinion, but I think using the free certs >>> provided by let's encrypt, coupled with it being automatic from now on, >>> it's just an unbeatable combination. >>> >>> Here are my cliff notes: >>> >>> Reference Document: >>> https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/expressway/config_guide/X12-5/exwy_b_certificate-creation-use-deployment-guide/exwy_b_certificate-creation-use-deployment-guide_chapter_0100.html >>> >>> High Level Steps: >>> Expressway 12.5.7 to avoid ACMEv1 vs ACMEv2 registration issues >>> (https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr82346) >>> For your Unified CM registrations domains don’t use parent domain only >>> (E.g., company.com), switch to CollabEdgeDNS format instead (E.g., >>> collab-edge.company.com), because you’ll need that in the next step >>> DNS A records for the Expressway-E FQDN and the CM registration domains >>> Upload the root and intermediates for Let’s Encrypt (needed on both >>> Expressway-E and Expressway-C) (certs are linked in documentation) >>> Enable the ACME client on Expressway-E and supply any email address you >>> want to link to this registration (This creates your account with Let’s >>> Encrypt) >>> Generate a new CSR (Server Certificate Only, Domain Cert Was Not Needed) >>> Click button to Submit CSR to ACME >>> Click button to Deploy New Certificate on Expressway-E (documentation >>> states this is non-service impacting) >>> Setup the automatic scheduler so you never have to deal with this again >>> Sit back, relax and enjoy free shit >>> >>> >>> >>>> On Fri, Apr 17, 2020 at 1:43 PM Riley, Sean <sri...@robinsonbradshaw.com> >>>> wrote: >>>> We had our Cisco partner setup our Expressways a couple of years ago. It >>>> is a cluster with 2 E’s and 2 C’s currently at v 12.5.7 using for MRA. I >>>> have been managing them, installing updates, troubleshooting etc. The >>>> public Edge cert is up for renewal. Can anyone provide advice on renewing >>>> this cert? I am planning on just renewing with the same cert provider, >>>> but was interested in if there is anything to watch out for. Example, >>>> will there be a service interruption when replacing the cert? Or just >>>> install the new cert/pk and rest easy? >>>> >>>> >>>> >>>> Thanks in advance. >>>> >>>> >>>> >>>> Sean. >>>> >>>> _______________________________________________ >>>> cisco-voip mailing list >>>> cisco-voip@puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-voip >>> _______________________________________________ >>> cisco-voip mailing list >>> cisco-voip@puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
