date:20180628

Re: [cisco-voip] multi-SAN / server certificates vs individual certs (CUCM/IMP)

2018-06-28 Thread Brian Meade

Only issue I run into is when adding another node to the cluster.  That
makes me have to replace the certs across the whole cluster and plan to
restart services accordingly.

On Thu, Jun 28, 2018 at 10:37 AM Lelio Fulgenzi  wrote:

>
> We're in the process of installing signed certs and we have the choice
> between multi-SAN cert with the publisher CSR and rely on the internals to
> have that cert distributed to the subs and the imp nodes -OR- go with
> individual certs.
>
> It's a last minute thing, so I still need to do some research, but I'm
> wondering what people have been doing out there. We're less concerned with
> cost than we are future stability. I know that this multi-san support is
> recent with v10.x - have they ironed out the bugs? We're going with 11.5.
>
> Thoughts?
>
>
> ---
> Lelio Fulgenzi, B.A. | Senior Analyst
> Computing and Communications Services | University of Guelph
> Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON |
> N1G 2W1
> 519-824-4120 Ext. 56354 | le...@uoguelph.ca
>
> www.uoguelph.ca/ccs | @UofGCCS on Instagram,
> Twitter and Facebook
>
> [University of Guelph Cornerstone with Improve Life tagline]
>
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] multi-SAN / server certificates vs individual certs (CUCM/IMP)

2018-06-28 Thread Lelio Fulgenzi

One last/more question – do we need to add the Jabber discovery domain into the 
cert? It’s not just the domain, it’s a subdomain.

So the servers are something like host01.datacentre.acme.com but the Jabber 
discovery domain is myjabber.acme.com.

And then there’s the IMP cluster domain name too, which is different, so, 
impcluster.acme.com



---
Lelio Fulgenzi, B.A. | Senior Analyst
Computing and Communications Services | University of Guelph
Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1
519-824-4120 Ext. 56354 | le...@uoguelph.ca

www.uoguelph.ca/ccs | @UofGCCS on Instagram, 
Twitter and Facebook

[University of Guelph Cornerstone with Improve Life tagline]

From: Charles Goldsmith 
Sent: Thursday, June 28, 2018 11:25 AM
To: Lelio Fulgenzi 
Cc: voyp list, cisco-voip (cisco-voip@puck.nether.net) 

Subject: Re: [cisco-voip] multi-SAN / server certificates vs individual certs 
(CUCM/IMP)

Generate a CSR from each server type (CUCM, CUC, UCCX, and each expressway) and 
load all hostnames into each server, including your cluster name of the 
expressway and the domain name.  At Digicert, load your csr, make sure the 
Common name matches the CSR that the server came from.  Once you have one 
cluster done, go back into the order and request duplicate, load your 2nd csr, 
check the common name and issue the duplicate.  Rinse and repeat for all 
systems.

Expressway clusters do not support multi-san, so just duplicate for each node.

On Thu, Jun 28, 2018 at 10:17 AM Lelio Fulgenzi 
mailto:le...@uoguelph.ca>> wrote:
Wait. What? I understand how the internals of CUCM and IMP can distribute one 
multi-san cert (built on the publisher’s CSR) to each CUCM and IMP node and 
uses private keys to ensure they load, but….

How the heck do you install a cert that was built on the pub’s CSR into CUC and 
UCCx? Or Expressway for that matter?

We are a digicert client, so if you have specific breadcrumbs / drop down 
options, feel free to share.

Lelio



---
Lelio Fulgenzi, B.A. | Senior Analyst
Computing and Communications Services | University of Guelph
Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1
519-824-4120 Ext. 56354 | 
le...@uoguelph.ca

www.uoguelph.ca/ccs | @UofGCCS on Instagram, 
Twitter and Facebook

[University of Guelph Cornerstone with Improve Life tagline]

From: Charles Goldsmith mailto:wo...@justfamily.org>>
Sent: Thursday, June 28, 2018 10:40 AM
To: Lelio Fulgenzi mailto:le...@uoguelph.ca>>
Cc: voyp list, cisco-voip 
(cisco-voip@puck.nether.net) 
mailto:cisco-voip@puck.nether.net>>
Subject: Re: [cisco-voip] multi-SAN / server certificates vs individual certs 
(CUCM/IMP)

I've used multi-san certs on at least a dozen installs and have had no issues 
at all.  In fact, with a good SSL provider, you can use the same Multi-SAN on 
CUCM, CUC, UCCX, Expressways.  I like how Digicert does it, just duplicate the 
cert and make sure all of the hostnames are listed in the SAN.


On Thu, Jun 28, 2018 at 9:37 AM Lelio Fulgenzi 
mailto:le...@uoguelph.ca>> wrote:

We're in the process of installing signed certs and we have the choice between 
multi-SAN cert with the publisher CSR and rely on the internals to have that 
cert distributed to the subs and the imp nodes -OR- go with individual certs.

It's a last minute thing, so I still need to do some research, but I'm 
wondering what people have been doing out there. We're less concerned with cost 
than we are future stability. I know that this multi-san support is recent with 
v10.x - have they ironed out the bugs? We're going with 11.5.

Thoughts?


---
Lelio Fulgenzi, B.A. | Senior Analyst
Computing and Communications Services | University of Guelph
Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1
519-824-4120 Ext. 56354 | 
le...@uoguelph.ca>

www.uoguelph.ca/ccs | 
@UofGCCS on Instagram, Twitter and Facebook

[University of Guelph Cornerstone with Improve Life tagline]

___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] multi-SAN / server certificates vs individual certs (CUCM/IMP)

2018-06-28 Thread Charles Goldsmith

No problem, thanks for adding your insight.

There are a couple of other providers that do duplication as well, they
just call it something different, but I haven't worked with them directly.
I'm told godaddy now supports it, but they only sell the SANs in blocks of
5.


On Thu, Jun 28, 2018 at 10:39 AM Bill Talley  wrote:

> Scrolling through my phone and inadvertently replied to Charles email when
> it popped up instead of Lelio’s.  Sorry for duplicating what Charles said 浪
>
>
> Sent from an iOS device with very tiny touchscreen input keys.  Please
> excude my typtos.
>
> On Jun 28, 2018, at 10:24 AM, Charles Goldsmith 
> wrote:
>
> Generate a CSR from each server type (CUCM, CUC, UCCX, and each
> expressway) and load all hostnames into each server, including your cluster
> name of the expressway and the domain name.  At Digicert, load your csr,
> make sure the Common name matches the CSR that the server came from.  Once
> you have one cluster done, go back into the order and request duplicate,
> load your 2nd csr, check the common name and issue the duplicate.  Rinse
> and repeat for all systems.
>
> Expressway clusters do not support multi-san, so just duplicate for each
> node.
>
> On Thu, Jun 28, 2018 at 10:17 AM Lelio Fulgenzi  wrote:
>
>> Wait. What? I understand how the internals of CUCM and IMP can distribute
>> one multi-san cert (built on the publisher’s CSR) to each CUCM and IMP node
>> and uses private keys to ensure they load, but….
>>
>>
>>
>> How the heck do you install a cert that was built on the pub’s CSR into
>> CUC and UCCx? Or Expressway for that matter?
>>
>>
>>
>> We are a digicert client, so if you have specific breadcrumbs / drop down
>> options, feel free to share.
>>
>>
>>
>> Lelio
>>
>>
>>
>>
>>
>>
>>
>> ---
>>
>> *Lelio Fulgenzi, B.A.* | Senior Analyst
>>
>> Computing and Communications Services | University of Guelph
>>
>> Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON |
>> N1G 2W1
>>
>> 519-824-4120 Ext. 56354 <(519)%20824-4120> | le...@uoguelph.ca
>>
>>
>>
>> www.uoguelph.ca/ccs | @UofGCCS on Instagram, Twitter and Facebook
>>
>>
>>
>> [image: University of Guelph Cornerstone with Improve Life tagline]
>>
>>
>>
>> *From:* Charles Goldsmith 
>> *Sent:* Thursday, June 28, 2018 10:40 AM
>> *To:* Lelio Fulgenzi 
>> *Cc:* voyp list, cisco-voip (cisco-voip@puck.nether.net) <
>> cisco-voip@puck.nether.net>
>> *Subject:* Re: [cisco-voip] multi-SAN / server certificates vs
>> individual certs (CUCM/IMP)
>>
>>
>>
>> I've used multi-san certs on at least a dozen installs and have had no
>> issues at all.  In fact, with a good SSL provider, you can use the same
>> Multi-SAN on CUCM, CUC, UCCX, Expressways.  I like how Digicert does it,
>> just duplicate the cert and make sure all of the hostnames are listed in
>> the SAN.
>>
>>
>>
>>
>>
>> On Thu, Jun 28, 2018 at 9:37 AM Lelio Fulgenzi  wrote:
>>
>>
>> We're in the process of installing signed certs and we have the choice
>> between multi-SAN cert with the publisher CSR and rely on the internals to
>> have that cert distributed to the subs and the imp nodes -OR- go with
>> individual certs.
>>
>> It's a last minute thing, so I still need to do some research, but I'm
>> wondering what people have been doing out there. We're less concerned with
>> cost than we are future stability. I know that this multi-san support is
>> recent with v10.x - have they ironed out the bugs? We're going with 11.5.
>>
>> Thoughts?
>>
>>
>> ---
>> Lelio Fulgenzi, B.A. | Senior Analyst
>> Computing and Communications Services | University of Guelph
>> Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON |
>> N1G 2W1
>> 519-824-4120 Ext. 56354 <(519)%20824-4120> | le...@uoguelph.ca> le...@uoguelph.ca>
>>
>> www.uoguelph.ca/ccs | @UofGCCS on Instagram,
>> Twitter and Facebook
>>
>> [University of Guelph Cornerstone with Improve Life tagline]
>>
>> ___
>> cisco-voip mailing list
>> cisco-voip@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] multi-SAN / server certificates vs individual certs (CUCM/IMP)

2018-06-28 Thread Lelio Fulgenzi

No apologies – it’s always great to get a second opinion, even if it’s the same!

I think for the first time around, we’ll likely stick with the multi-san cert 
for CUCM/IMP and individual certs for the others. But we’ll definitely think 
about the duplicate multi-san cert in the future.

---
Lelio Fulgenzi, B.A. | Senior Analyst
Computing and Communications Services | University of Guelph
Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1
519-824-4120 Ext. 56354 | le...@uoguelph.ca

www.uoguelph.ca/ccs | @UofGCCS on Instagram, 
Twitter and Facebook

[University of Guelph Cornerstone with Improve Life tagline]

From: Bill Talley 
Sent: Thursday, June 28, 2018 11:40 AM
To: Charles Goldsmith 
Cc: Lelio Fulgenzi ; voyp list, cisco-voip 
(cisco-voip@puck.nether.net) 
Subject: Re: [cisco-voip] multi-SAN / server certificates vs individual certs 
(CUCM/IMP)

Scrolling through my phone and inadvertently replied to Charles email when it 
popped up instead of Lelio’s.  Sorry for duplicating what Charles said 浪

Sent from an iOS device with very tiny touchscreen input keys.  Please excude 
my typtos.

On Jun 28, 2018, at 10:24 AM, Charles Goldsmith 
mailto:wo...@justfamily.org>> wrote:
Generate a CSR from each server type (CUCM, CUC, UCCX, and each expressway) and 
load all hostnames into each server, including your cluster name of the 
expressway and the domain name.  At Digicert, load your csr, make sure the 
Common name matches the CSR that the server came from.  Once you have one 
cluster done, go back into the order and request duplicate, load your 2nd csr, 
check the common name and issue the duplicate.  Rinse and repeat for all 
systems.

Expressway clusters do not support multi-san, so just duplicate for each node.

On Thu, Jun 28, 2018 at 10:17 AM Lelio Fulgenzi 
mailto:le...@uoguelph.ca>> wrote:
Wait. What? I understand how the internals of CUCM and IMP can distribute one 
multi-san cert (built on the publisher’s CSR) to each CUCM and IMP node and 
uses private keys to ensure they load, but….

How the heck do you install a cert that was built on the pub’s CSR into CUC and 
UCCx? Or Expressway for that matter?

We are a digicert client, so if you have specific breadcrumbs / drop down 
options, feel free to share.

Lelio



---
Lelio Fulgenzi, B.A. | Senior Analyst
Computing and Communications Services | University of Guelph
Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1
519-824-4120 Ext. 56354 | 
le...@uoguelph.ca

www.uoguelph.ca/ccs | @UofGCCS on Instagram, 
Twitter and Facebook

[University of Guelph Cornerstone with Improve Life tagline]

From: Charles Goldsmith mailto:wo...@justfamily.org>>
Sent: Thursday, June 28, 2018 10:40 AM
To: Lelio Fulgenzi mailto:le...@uoguelph.ca>>
Cc: voyp list, cisco-voip 
(cisco-voip@puck.nether.net) 
mailto:cisco-voip@puck.nether.net>>
Subject: Re: [cisco-voip] multi-SAN / server certificates vs individual certs 
(CUCM/IMP)

I've used multi-san certs on at least a dozen installs and have had no issues 
at all.  In fact, with a good SSL provider, you can use the same Multi-SAN on 
CUCM, CUC, UCCX, Expressways.  I like how Digicert does it, just duplicate the 
cert and make sure all of the hostnames are listed in the SAN.


On Thu, Jun 28, 2018 at 9:37 AM Lelio Fulgenzi 
mailto:le...@uoguelph.ca>> wrote:

We're in the process of installing signed certs and we have the choice between 
multi-SAN cert with the publisher CSR and rely on the internals to have that 
cert distributed to the subs and the imp nodes -OR- go with individual certs.

It's a last minute thing, so I still need to do some research, but I'm 
wondering what people have been doing out there. We're less concerned with cost 
than we are future stability. I know that this multi-san support is recent with 
v10.x - have they ironed out the bugs? We're going with 11.5.

Thoughts?


---
Lelio Fulgenzi, B.A. | Senior Analyst
Computing and Communications Services | University of Guelph
Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1
519-824-4120 Ext. 56354 | 
le...@uoguelph.ca>

www.uoguelph.ca/ccs | 
@UofGCCS on Instagram, Twitter and Facebook

[University of Guelph Cornerstone with Improve Life tagline]

___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
___
cisco-voip mailing list

Re: [cisco-voip] multi-SAN / server certificates vs individual certs (CUCM/IMP)

2018-06-28 Thread Bill Talley

Scrolling through my phone and inadvertently replied to Charles email when it 
popped up instead of Lelio’s.  Sorry for duplicating what Charles said 浪

Sent from an iOS device with very tiny touchscreen input keys.  Please excude 
my typtos.

> On Jun 28, 2018, at 10:24 AM, Charles Goldsmith  wrote:
> 
> Generate a CSR from each server type (CUCM, CUC, UCCX, and each expressway) 
> and load all hostnames into each server, including your cluster name of the 
> expressway and the domain name.  At Digicert, load your csr, make sure the 
> Common name matches the CSR that the server came from.  Once you have one 
> cluster done, go back into the order and request duplicate, load your 2nd 
> csr, check the common name and issue the duplicate.  Rinse and repeat for all 
> systems.
> 
> Expressway clusters do not support multi-san, so just duplicate for each node.
> 
>> On Thu, Jun 28, 2018 at 10:17 AM Lelio Fulgenzi  wrote:
>> Wait. What? I understand how the internals of CUCM and IMP can distribute 
>> one multi-san cert (built on the publisher’s CSR) to each CUCM and IMP node 
>> and uses private keys to ensure they load, but….
>> 
>>  
>> 
>> How the heck do you install a cert that was built on the pub’s CSR into CUC 
>> and UCCx? Or Expressway for that matter?
>> 
>>  
>> 
>> We are a digicert client, so if you have specific breadcrumbs / drop down 
>> options, feel free to share.
>> 
>>  
>> 
>> Lelio
>> 
>>  
>> 
>>  
>> 
>>  
>> 
>> ---
>> 
>> Lelio Fulgenzi, B.A. | Senior Analyst
>> 
>> Computing and Communications Services | University of Guelph
>> 
>> Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 
>> 2W1
>> 
>> 519-824-4120 Ext. 56354 | le...@uoguelph.ca
>> 
>>  
>> 
>> www.uoguelph.ca/ccs | @UofGCCS on Instagram, Twitter and Facebook
>> 
>>  
>> 
>> 
>> 
>>  
>> 
>> From: Charles Goldsmith  
>> Sent: Thursday, June 28, 2018 10:40 AM
>> To: Lelio Fulgenzi 
>> Cc: voyp list, cisco-voip (cisco-voip@puck.nether.net) 
>> 
>> Subject: Re: [cisco-voip] multi-SAN / server certificates vs individual 
>> certs (CUCM/IMP)
>> 
>>  
>> 
>> I've used multi-san certs on at least a dozen installs and have had no 
>> issues at all.  In fact, with a good SSL provider, you can use the same 
>> Multi-SAN on CUCM, CUC, UCCX, Expressways.  I like how Digicert does it, 
>> just duplicate the cert  and make sure all of the hostnames are listed in 
>> the SAN.
>> 
>>  
>> 
>>  
>> 
>> On Thu, Jun 28, 2018 at 9:37 AM Lelio Fulgenzi  wrote:
>> 
>> 
>> We're in the process of installing signed certs and we have the choice 
>> between multi-SAN cert with the publisher CSR and rely on the internals to 
>> have that cert distributed to the subs and the imp nodes -OR- go with 
>> individual certs.
>> 
>> It's a last minute thing, so I still need to do some research, but I'm 
>> wondering what people have been doing out there. We're less concerned with 
>> cost than we are future stability. I know that this multi-san support is 
>> recent with v10.x - have they ironed out the bugs? We're going with 11.5.
>> 
>> Thoughts?
>> 
>> 
>> ---
>> Lelio Fulgenzi, B.A. | Senior Analyst
>> Computing and Communications Services | University of Guelph
>> Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 
>> 2W1
>> 519-824-4120 Ext. 56354 | le...@uoguelph.ca
>> 
>> www.uoguelph.ca/ccs | @UofGCCS on Instagram, 
>> Twitter and Facebook
>> 
>> [University of Guelph Cornerstone with Improve Life tagline]
>> 
>> ___
>> cisco-voip mailing list
>> cisco-voip@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>> 
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] multi-SAN / server certificates vs individual certs (CUCM/IMP)

2018-06-28 Thread Bill Talley

I second the DigiCert recommendation.  They are unique in that they let you 
generate multiple server certificates (using multiple private keys) under the 
same multi-SAN cert order.  

You just add all of the fqdns to the same certificate order (via the CSR) and 
when you generate the multiSAN CSR from each server (or cluster) you will add 
the fqdn of the other servers as alternative names.   So when you generate a 
Unity Connection CSR, you will add the cucm nodes, CCX nodes, etc as 
alternative names.   If you don’t do that, digicert will invalidate any 
previous signed certs under that order so make sure you include the same 
alternative names in every CSR.

Every other provider we’ve reviewed requires you to either share the private 
keys (which Cisco UC servers don’t allow) or they make you order separate 
multi-SAN certs per cluster.

Sent from an iOS device with very tiny touchscreen input keys.  Please excude 
my typtos.

> On Jun 28, 2018, at 10:24 AM, Charles Goldsmith  wrote:
> 
> Generate a CSR from each server type (CUCM, CUC, UCCX, and each expressway) 
> and load all hostnames into each server, including your cluster name of the 
> expressway and the domain name.  At Digicert, load your csr, make sure the 
> Common name matches the CSR that the server came from.  Once you have one 
> cluster done, go back into the order and request duplicate, load your 2nd 
> csr, check the common name and issue the duplicate.  Rinse and repeat for all 
> systems.
> 
> Expressway clusters do not support multi-san, so just duplicate for each node.
> 
>> On Thu, Jun 28, 2018 at 10:17 AM Lelio Fulgenzi  wrote:
>> Wait. What? I understand how the internals of CUCM and IMP can distribute 
>> one multi-san cert (built on the publisher’s CSR) to each CUCM and IMP node 
>> and uses private keys to ensure they load, but….
>> 
>>  
>> 
>> How the heck do you install a cert that was built on the pub’s CSR into CUC 
>> and UCCx? Or Expressway for that matter?
>> 
>>  
>> 
>> We are a digicert client, so if you have specific breadcrumbs / drop down 
>> options, feel free to share.
>> 
>>  
>> 
>> Lelio
>> 
>>  
>> 
>>  
>> 
>>  
>> 
>> ---
>> 
>> Lelio Fulgenzi, B.A. | Senior Analyst
>> 
>> Computing and Communications Services | University of Guelph
>> 
>> Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 
>> 2W1
>> 
>> 519-824-4120 Ext. 56354 | le...@uoguelph.ca
>> 
>>  
>> 
>> www.uoguelph.ca/ccs | @UofGCCS on Instagram, Twitter and Facebook
>> 
>>  
>> 
>> 
>> 
>>  
>> 
>> From: Charles Goldsmith  
>> Sent: Thursday, June 28, 2018 10:40 AM
>> To: Lelio Fulgenzi 
>> Cc: voyp list, cisco-voip (cisco-voip@puck.nether.net) 
>> 
>> Subject: Re: [cisco-voip] multi-SAN / server certificates vs individual 
>> certs (CUCM/IMP)
>> 
>>  
>> 
>> I've used multi-san certs on at least a dozen installs and have had no 
>> issues at all.  In fact, with a good SSL provider, you can use the same 
>> Multi-SAN on CUCM, CUC, UCCX, Expressways.  I like how Digicert does it, 
>> just duplicate the cert  and make sure all of the hostnames are listed in 
>> the SAN.
>> 
>>  
>> 
>>  
>> 
>> On Thu, Jun 28, 2018 at 9:37 AM Lelio Fulgenzi  wrote:
>> 
>> 
>> We're in the process of installing signed certs and we have the choice 
>> between multi-SAN cert with the publisher CSR and rely on the internals to 
>> have that cert distributed to the subs and the imp nodes -OR- go with 
>> individual certs.
>> 
>> It's a last minute thing, so I still need to do some research, but I'm 
>> wondering what people have been doing out there. We're less concerned with 
>> cost than we are future stability. I know that this multi-san support is 
>> recent with v10.x - have they ironed out the bugs? We're going with 11.5.
>> 
>> Thoughts?
>> 
>> 
>> ---
>> Lelio Fulgenzi, B.A. | Senior Analyst
>> Computing and Communications Services | University of Guelph
>> Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 
>> 2W1
>> 519-824-4120 Ext. 56354 | le...@uoguelph.ca
>> 
>> www.uoguelph.ca/ccs | @UofGCCS on Instagram, 
>> Twitter and Facebook
>> 
>> [University of Guelph Cornerstone with Improve Life tagline]
>> 
>> ___
>> cisco-voip mailing list
>> cisco-voip@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>> 
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] multi-SAN / server certificates vs individual certs (CUCM/IMP)

2018-06-28 Thread Lelio Fulgenzi

That is cool. Thanks!

Do you use any extended validation? Or just simple certs?

---
Lelio Fulgenzi, B.A. | Senior Analyst
Computing and Communications Services | University of Guelph
Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1
519-824-4120 Ext. 56354 | le...@uoguelph.ca

www.uoguelph.ca/ccs | @UofGCCS on Instagram, 
Twitter and Facebook

[University of Guelph Cornerstone with Improve Life tagline]

From: Charles Goldsmith 
Sent: Thursday, June 28, 2018 11:25 AM
To: Lelio Fulgenzi 
Cc: voyp list, cisco-voip (cisco-voip@puck.nether.net) 

Subject: Re: [cisco-voip] multi-SAN / server certificates vs individual certs 
(CUCM/IMP)

Generate a CSR from each server type (CUCM, CUC, UCCX, and each expressway) and 
load all hostnames into each server, including your cluster name of the 
expressway and the domain name.  At Digicert, load your csr, make sure the 
Common name matches the CSR that the server came from.  Once you have one 
cluster done, go back into the order and request duplicate, load your 2nd csr, 
check the common name and issue the duplicate.  Rinse and repeat for all 
systems.

Expressway clusters do not support multi-san, so just duplicate for each node.

On Thu, Jun 28, 2018 at 10:17 AM Lelio Fulgenzi 
mailto:le...@uoguelph.ca>> wrote:
Wait. What? I understand how the internals of CUCM and IMP can distribute one 
multi-san cert (built on the publisher’s CSR) to each CUCM and IMP node and 
uses private keys to ensure they load, but….

How the heck do you install a cert that was built on the pub’s CSR into CUC and 
UCCx? Or Expressway for that matter?

We are a digicert client, so if you have specific breadcrumbs / drop down 
options, feel free to share.

Lelio



---
Lelio Fulgenzi, B.A. | Senior Analyst
Computing and Communications Services | University of Guelph
Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1
519-824-4120 Ext. 56354 | 
le...@uoguelph.ca

www.uoguelph.ca/ccs | @UofGCCS on Instagram, 
Twitter and Facebook

[University of Guelph Cornerstone with Improve Life tagline]

From: Charles Goldsmith mailto:wo...@justfamily.org>>
Sent: Thursday, June 28, 2018 10:40 AM
To: Lelio Fulgenzi mailto:le...@uoguelph.ca>>
Cc: voyp list, cisco-voip 
(cisco-voip@puck.nether.net) 
mailto:cisco-voip@puck.nether.net>>
Subject: Re: [cisco-voip] multi-SAN / server certificates vs individual certs 
(CUCM/IMP)

I've used multi-san certs on at least a dozen installs and have had no issues 
at all.  In fact, with a good SSL provider, you can use the same Multi-SAN on 
CUCM, CUC, UCCX, Expressways.  I like how Digicert does it, just duplicate the 
cert and make sure all of the hostnames are listed in the SAN.


On Thu, Jun 28, 2018 at 9:37 AM Lelio Fulgenzi 
mailto:le...@uoguelph.ca>> wrote:

We're in the process of installing signed certs and we have the choice between 
multi-SAN cert with the publisher CSR and rely on the internals to have that 
cert distributed to the subs and the imp nodes -OR- go with individual certs.

It's a last minute thing, so I still need to do some research, but I'm 
wondering what people have been doing out there. We're less concerned with cost 
than we are future stability. I know that this multi-san support is recent with 
v10.x - have they ironed out the bugs? We're going with 11.5.

Thoughts?


---
Lelio Fulgenzi, B.A. | Senior Analyst
Computing and Communications Services | University of Guelph
Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1
519-824-4120 Ext. 56354 | 
le...@uoguelph.ca>

www.uoguelph.ca/ccs | 
@UofGCCS on Instagram, Twitter and Facebook

[University of Guelph Cornerstone with Improve Life tagline]

___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] multi-SAN / server certificates vs individual certs (CUCM/IMP)

2018-06-28 Thread Charles Goldsmith

Generate a CSR from each server type (CUCM, CUC, UCCX, and each expressway)
and load all hostnames into each server, including your cluster name of the
expressway and the domain name.  At Digicert, load your csr, make sure the
Common name matches the CSR that the server came from.  Once you have one
cluster done, go back into the order and request duplicate, load your 2nd
csr, check the common name and issue the duplicate.  Rinse and repeat for
all systems.

Expressway clusters do not support multi-san, so just duplicate for each
node.

On Thu, Jun 28, 2018 at 10:17 AM Lelio Fulgenzi  wrote:

> Wait. What? I understand how the internals of CUCM and IMP can distribute
> one multi-san cert (built on the publisher’s CSR) to each CUCM and IMP node
> and uses private keys to ensure they load, but….
>
>
>
> How the heck do you install a cert that was built on the pub’s CSR into
> CUC and UCCx? Or Expressway for that matter?
>
>
>
> We are a digicert client, so if you have specific breadcrumbs / drop down
> options, feel free to share.
>
>
>
> Lelio
>
>
>
>
>
>
>
> ---
>
> *Lelio Fulgenzi, B.A.* | Senior Analyst
>
> Computing and Communications Services | University of Guelph
>
> Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON |
> N1G 2W1
>
> 519-824-4120 Ext. 56354 <(519)%20824-4120> | le...@uoguelph.ca
>
>
>
> www.uoguelph.ca/ccs | @UofGCCS on Instagram, Twitter and Facebook
>
>
>
> [image: University of Guelph Cornerstone with Improve Life tagline]
>
>
>
> *From:* Charles Goldsmith 
> *Sent:* Thursday, June 28, 2018 10:40 AM
> *To:* Lelio Fulgenzi 
> *Cc:* voyp list, cisco-voip (cisco-voip@puck.nether.net) <
> cisco-voip@puck.nether.net>
> *Subject:* Re: [cisco-voip] multi-SAN / server certificates vs individual
> certs (CUCM/IMP)
>
>
>
> I've used multi-san certs on at least a dozen installs and have had no
> issues at all.  In fact, with a good SSL provider, you can use the same
> Multi-SAN on CUCM, CUC, UCCX, Expressways.  I like how Digicert does it,
> just duplicate the cert and make sure all of the hostnames are listed in
> the SAN.
>
>
>
>
>
> On Thu, Jun 28, 2018 at 9:37 AM Lelio Fulgenzi  wrote:
>
>
> We're in the process of installing signed certs and we have the choice
> between multi-SAN cert with the publisher CSR and rely on the internals to
> have that cert distributed to the subs and the imp nodes -OR- go with
> individual certs.
>
> It's a last minute thing, so I still need to do some research, but I'm
> wondering what people have been doing out there. We're less concerned with
> cost than we are future stability. I know that this multi-san support is
> recent with v10.x - have they ironed out the bugs? We're going with 11.5.
>
> Thoughts?
>
>
> ---
> Lelio Fulgenzi, B.A. | Senior Analyst
> Computing and Communications Services | University of Guelph
> Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON |
> N1G 2W1
> 519-824-4120 Ext. 56354 <(519)%20824-4120> | le...@uoguelph.ca le...@uoguelph.ca>
>
> www.uoguelph.ca/ccs | @UofGCCS on Instagram,
> Twitter and Facebook
>
> [University of Guelph Cornerstone with Improve Life tagline]
>
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] multi-SAN / server certificates vs individual certs (CUCM/IMP)

2018-06-28 Thread Lelio Fulgenzi

Wait. What? I understand how the internals of CUCM and IMP can distribute one 
multi-san cert (built on the publisher’s CSR) to each CUCM and IMP node and 
uses private keys to ensure they load, but….

How the heck do you install a cert that was built on the pub’s CSR into CUC and 
UCCx? Or Expressway for that matter?

We are a digicert client, so if you have specific breadcrumbs / drop down 
options, feel free to share.

Lelio



---
Lelio Fulgenzi, B.A. | Senior Analyst
Computing and Communications Services | University of Guelph
Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1
519-824-4120 Ext. 56354 | le...@uoguelph.ca

www.uoguelph.ca/ccs | @UofGCCS on Instagram, 
Twitter and Facebook

[University of Guelph Cornerstone with Improve Life tagline]

From: Charles Goldsmith 
Sent: Thursday, June 28, 2018 10:40 AM
To: Lelio Fulgenzi 
Cc: voyp list, cisco-voip (cisco-voip@puck.nether.net) 

Subject: Re: [cisco-voip] multi-SAN / server certificates vs individual certs 
(CUCM/IMP)

I've used multi-san certs on at least a dozen installs and have had no issues 
at all.  In fact, with a good SSL provider, you can use the same Multi-SAN on 
CUCM, CUC, UCCX, Expressways.  I like how Digicert does it, just duplicate the 
cert and make sure all of the hostnames are listed in the SAN.


On Thu, Jun 28, 2018 at 9:37 AM Lelio Fulgenzi 
mailto:le...@uoguelph.ca>> wrote:

We're in the process of installing signed certs and we have the choice between 
multi-SAN cert with the publisher CSR and rely on the internals to have that 
cert distributed to the subs and the imp nodes -OR- go with individual certs.

It's a last minute thing, so I still need to do some research, but I'm 
wondering what people have been doing out there. We're less concerned with cost 
than we are future stability. I know that this multi-san support is recent with 
v10.x - have they ironed out the bugs? We're going with 11.5.

Thoughts?


---
Lelio Fulgenzi, B.A. | Senior Analyst
Computing and Communications Services | University of Guelph
Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1
519-824-4120 Ext. 56354 | 
le...@uoguelph.ca>

www.uoguelph.ca/ccs | 
@UofGCCS on Instagram, Twitter and Facebook

[University of Guelph Cornerstone with Improve Life tagline]

___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] multi-SAN / server certificates vs individual certs (CUCM/IMP)

2018-06-28 Thread Charles Goldsmith

I've used multi-san certs on at least a dozen installs and have had no
issues at all.  In fact, with a good SSL provider, you can use the same
Multi-SAN on CUCM, CUC, UCCX, Expressways.  I like how Digicert does it,
just duplicate the cert and make sure all of the hostnames are listed in
the SAN.


On Thu, Jun 28, 2018 at 9:37 AM Lelio Fulgenzi  wrote:

>
> We're in the process of installing signed certs and we have the choice
> between multi-SAN cert with the publisher CSR and rely on the internals to
> have that cert distributed to the subs and the imp nodes -OR- go with
> individual certs.
>
> It's a last minute thing, so I still need to do some research, but I'm
> wondering what people have been doing out there. We're less concerned with
> cost than we are future stability. I know that this multi-san support is
> recent with v10.x - have they ironed out the bugs? We're going with 11.5.
>
> Thoughts?
>
>
> ---
> Lelio Fulgenzi, B.A. | Senior Analyst
> Computing and Communications Services | University of Guelph
> Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON |
> N1G 2W1
> 519-824-4120 Ext. 56354 <(519)%20824-4120> | le...@uoguelph.ca le...@uoguelph.ca>
>
> www.uoguelph.ca/ccs | @UofGCCS on Instagram,
> Twitter and Facebook
>
> [University of Guelph Cornerstone with Improve Life tagline]
>
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

[cisco-voip] multi-SAN / server certificates vs individual certs (CUCM/IMP)

2018-06-28 Thread Lelio Fulgenzi


We're in the process of installing signed certs and we have the choice between 
multi-SAN cert with the publisher CSR and rely on the internals to have that 
cert distributed to the subs and the imp nodes -OR- go with individual certs.

It's a last minute thing, so I still need to do some research, but I'm 
wondering what people have been doing out there. We're less concerned with cost 
than we are future stability. I know that this multi-san support is recent with 
v10.x - have they ironed out the bugs? We're going with 11.5.

Thoughts?


---
Lelio Fulgenzi, B.A. | Senior Analyst
Computing and Communications Services | University of Guelph
Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1
519-824-4120 Ext. 56354 | le...@uoguelph.ca

www.uoguelph.ca/ccs | @UofGCCS on Instagram, 
Twitter and Facebook

[University of Guelph Cornerstone with Improve Life tagline]

<>___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

[cisco-voip] CAD EOL

2018-06-28 Thread Charles Goldsmith

Resurrecting an old topic with a new subject, we ran across this recently
and wanted to give a reminder and PSA.

The EOL announcement for 10.x and 11.0 do NOT mention the different EOL
date for CAD.
https://www.cisco.com/c/en/us/products/collateral/customer-collaboration/unified-contact-center-express/eos-eol-notice-c51-737425.html


Even though 10.x is not EOL yet, the CAD agent loses support on July 31st,
2018, per
https://www.cisco.com/c/en/us/products/collateral/customer-collaboration/unified-contact-center-express/eos-eol-notice-c51-733719.html

Charles



-- Forwarded message --
From: Kevin Przybylowski 
Date: Mon, Jan 19, 2015 at 8:49 AM
Subject: Re: [cisco-voip] FYI: UCCx v9.0 EOL announced...
To: "cisco-voip@puck.nether.net" 


Nice – thanks for the heads up.  I knew it was coming, I like the note
below from the EOL:



In addition to the SKUs listed in this notification, the same End of
Software Maintenance and End of Support milestones will apply to the Cisco
Agent Desktop (CAD), Cisco Supervisor Desktop (CSD) and Cisco Desktop
Administrator (CDA) features on CCX 10.0, 10.5 and 10.6.



*From:* cisco-voip [mailto:cisco-voip-boun...@puck.nether.net] *On Behalf
Of *Lelio Fulgenzi
*Sent:* Monday, January 19, 2015 9:37 AM
*To:* voip puck
*Subject:* [cisco-voip] FYI: UCCx v9.0 EOL announced...




In three parts...

   1. http://www.cisco.com/c/en/us/products/collateral/customer-
   collaboration/unified-contact-center-express/eos-eol-notice-
   c51-733721.html
   

   2. http://www.cisco.com/c/en/us/products/collateral/customer-
   collaboration/unified-contact-center-express/eos-eol-notice-
   c51-733720.html
   

   3. http://www.cisco.com/c/en/us/products/collateral/customer-
   collaboration/unified-contact-center-express/eos-eol-notice-
   c51-733719.html
   




Lelio Fulgenzi, B.A.
Senior Analyst, Network Infrastructure
Computing and Communications Services (CCS)
University of Guelph

519‐824‐4120 Ext 56354
le...@uoguelph.ca
www.uoguelph.ca/ccs
Room 037, Animal Science and Nutrition Building
Guelph, Ontario, N1G 2W1



___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] multi-SAN / server certificates vs individual certs (CUCM/IMP)

Re: [cisco-voip] multi-SAN / server certificates vs individual certs (CUCM/IMP)

Re: [cisco-voip] multi-SAN / server certificates vs individual certs (CUCM/IMP)

Re: [cisco-voip] multi-SAN / server certificates vs individual certs (CUCM/IMP)

Re: [cisco-voip] multi-SAN / server certificates vs individual certs (CUCM/IMP)

Re: [cisco-voip] multi-SAN / server certificates vs individual certs (CUCM/IMP)

Re: [cisco-voip] multi-SAN / server certificates vs individual certs (CUCM/IMP)

Re: [cisco-voip] multi-SAN / server certificates vs individual certs (CUCM/IMP)

Re: [cisco-voip] multi-SAN / server certificates vs individual certs (CUCM/IMP)

Re: [cisco-voip] multi-SAN / server certificates vs individual certs (CUCM/IMP)

[cisco-voip] multi-SAN / server certificates vs individual certs (CUCM/IMP)

[cisco-voip] CAD EOL

12 matches

Site Navigation

Mail list logo

Footer information