[cisco-voip] Recommendation For Certificate Provider For Jabber/Presence Use

Anthony Holloway avholloway+cisco-voip at gmail.com
Thu Feb 5 14:31:24 EST 2015


"If you are using MRA, then the Expressway-E is the only entity the should
require and external certificate."

To the best of my knowledge, if you have iPhone Jabber clients connecting
via MRA, they will require public Trusted Root CA's.
On Thu Feb 05 2015 at 12:31:45 PM Heim, Dennis <Dennis.Heim at wwt.com> wrote:

> For those windows clients you can run the following:
>
> certutil -verify -urlfetch <Path-to-CUPS-tomcat-cert.cer>
>
> That should show why the certificate is failing validation. If you use an
> internal ca to sign your certs include the following subject alternative
> names:
> DNS:<FQDN>
> DNS:<Hostname>
> DNS:<IP-Address>
> IP:<IP-Address>
>
> I find that overkill usually helps certs validate.
>
> A few other things:
> -If using internal certificates, make sure that the AIA and CRL is
> published outside of Active Directory (aka via URL)
> -Make sure your template is supporting Server AND Client authentication.
>
> If you are using MRA, then the Expressway-E is the only entity the should
> require and external certificate.
>
> Hope this helps.
>
>
>
> Dennis Heim | Emerging Technology Architect (Collaboration)
> World Wide Technology, Inc. | +1 314-212-1814
>
>
> "Innovation happens on project squared" -- http://www.projectsquared.com
>
>
> -----Original Message-----
> From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of
> Gary Parker
> Sent: Thursday, February 05, 2015 11:24 AM
> To: Cisco VoIP Group
> Subject: [cisco-voip] Recommendation For Certificate Provider For
> Jabber/Presence Use
>
> Hi folks, I’m in the process of replacing a load of self-signed certs on
> my 8.6.x CUCM, CUC and CUP servers.
>
> I’ve been having issues getting certs with the correct KeyUsage extensions
> from our current provider and wondered if anyone could recommend a company
> who can provide certificates that honour the requirements in the CSRs
> generated by the Cisco Unified Communications servers.
>
> I’m particularly interested in certificates that contain the
> "digitalSignature, nonRepudiation,keyEncipherment,dataEncipherment”
> extensions as per:
>
> http://blog.warcop.com/2015/01/22/cisco-jabber-certificate-warning-again/
>
> Jabber for Windows clients 9.2.5 and greater are flagging invalid
> certificates on our currently installed TERENA certificates.
>
> ---
> /-Gary Parker----------------------------------f--\
> |     Unified Communications Service Manager      |
> n       Loughborough University IT Services       |
> |     Tel: +441509635635  Mob: +447989172258      o
> |     http://delphium.lboro.ac.uk/pubkey.txt      |
> \r----------------------------------------------d-/
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150205/ef73aaa6/attachment.html>


More information about the cisco-voip mailing list