[cisco-voip] Digicert Wildcard certificates

Justin Steinberg jsteinberg at gmail.com
Wed Jul 15 15:02:05 EDT 2015


To Dennis' point you don't have to put DNS=mycollab.com in the SAN.   There
is an alternative to use DNS=collab-edge.mycollab.com

http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-5/Mobile-Remote-Access-via-Expressway-Deployment-Guide-X8-5.pdf

[image: Inline image 1]

On Wed, Jul 15, 2015 at 2:16 PM, Heim, Dennis <Dennis.Heim at wwt.com> wrote:

>  If you have not seen the Cisco Live session on collab security I would
> definitely recommend it. It had some good discussion on certificates. Based
> on that Wildcard certs will never be supported on CUCM and the like and are
> frowned upon within the security community.
>
>
>
> *Dennis Heim | Emerging Technology Architect (Collaboration)*
>
> World Wide Technology, Inc. | +1 314-212-1814
>
> [image: twitter] <https://twitter.com/CollabSensei>
>
> [image: chat][image: Phone] <+13142121814>[image: video]
>
> “There is a fine line between Wrong and Visionary. Unfortunately, you have
> to be a visionary to see it." – Sheldon Cooper
>
>
>
> Click here to join me in my Collaboration Meeting Room
> <https://wwt.webex.com/meet/dennis.heim>
>
>
>
> *From:* Eric Pedersen [mailto:PedersenE at bennettjones.com]
> *Sent:* Wednesday, July 15, 2015 12:51 PM
> *To:* Anthony Holloway; Heim, Dennis; Ian Anderson; NateCCIE; Cisco VOIP
> *Subject:* RE: [cisco-voip] Digicert Wildcard certificates
>
>
>
> Good point. I spoke too soon: we use wildcard certificates on VCS-E and
> WebEx Meeting Server only. IIRC VCS officially doesn’t support wildcard
> certificates either but everything seems to work provided the hostnames are
> configured as SANs. CUCM might be the same with the multi-server
> certificate but I haven’t tried.
>
>
>
> *From:* Anthony Holloway [mailto:avholloway+cisco-voip at gmail.com
> <avholloway+cisco-voip at gmail.com>]
> *Sent:* 15 July 2015 10:43 AM
> *To:* Eric Pedersen; Heim, Dennis; Ian Anderson; NateCCIE; Cisco VOIP
> *Subject:* Re: [cisco-voip] Digicert Wildcard certificates
>
>
>
> I'm a little confused here.  According to this article:
> http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-callmanager/115957-high-level-view-ca-00.html#wildcard,
> and this defect ID: https://tools.cisco.com/bugsearch/bug/CSCta14114/,
> wild card certs are not supported.  Are we talking about the same thing
> here?
>
>
>
> On Wed, Jul 15, 2015 at 10:08 AM Eric Pedersen <PedersenE at bennettjones.com>
> wrote:
>
>  Digicert lets you put your domain and subdomains of any level as SANs.
> It’s great! They even generated a duplicate certificate for me with a
> different root CA that was supported with WebEx enabled Telepresence. We
> use their wildcard certificates on all of our UC servers.
>
>
>
> *From:* cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] *On Behalf
> Of *Heim, Dennis
> *Sent:* 15 July 2015 8:28 AM
> *To:* Ian Anderson; NateCCIE; Cisco VOIP
>
>
> *Subject:* Re: [cisco-voip] Digicert Wildcard certificates
>
>
>
> I’ve found the hardest thing to find a cert providers that likes putting
> the domain as a san such as DNS=mycollab.com. Has anyone found any
> providers that are kosher with that? From one of the Cisco Live sessions, I
> was told this is needed for service discovery to function properly.
>
>
>
> *Dennis Heim | Emerging Technology Architect (Collaboration)*
>
> World Wide Technology, Inc. | +1 314-212-1814
>
> [image: twitter] <https://twitter.com/CollabSensei>
>
> [image: chat][image: Phone] <+13142121814>[image: video]
>
> “There is a fine line between Wrong and Visionary. Unfortunately, you have
> to be a visionary to see it." – Sheldon Cooper
>
>
>
> Click here to join me in my Collaboration Meeting Room
> <https://wwt.webex.com/meet/dennis.heim>
>
>
>
> *From:* cisco-voip [mailto:cisco-voip-bounces at puck.nether.net
> <cisco-voip-bounces at puck.nether.net>] *On Behalf Of *Ian Anderson
>
>
> *Sent:* Wednesday, July 15, 2015 10:18 AM
> *To:* NateCCIE; Cisco VOIP
> *Subject:* Re: [cisco-voip] Digicert Wildcard certificates
>
>
>
>
>
> On 15 July 2015 at 15:02, NateCCIE <nateccie at gmail.com> wrote:
>
>  Did you put all of your SANs in the digicert page?
>
> z
>
> I have this working on all of my expressway installs.
>
>  Hi Nate,
>
>
>
> Thanks for the quick response, just for preservation in the archives for
> future posterity and confirmation that digicert seems fine despite the
> warnings in the manuals, it seemed I was running into 2 separate issues.
>
>
>
> 1) I had uploaded the intermediate cert, but needed to manually download
> and upload the root CA
>
> 2) That then got me past the TLS error, only to find that I had
> fat-fingered the hostname in the SAN field :-(
>
>
>
> Cheers
>
>
>
> Ian
>
>
>
> The contents of this message may contain confidential and/or privileged
> subject matter. If this message has been received in error, please contact
> the sender and delete all copies. Like other forms of communication, e-mail
> communications may be vulnerable to interception by unauthorized parties.
> If you do not wish us to communicate with you by e-mail, please notify us
> at your earliest convenience. In the absence of such notification, your
> consent is assumed. Should you choose to allow us to communicate by e-mail,
> we will not take any additional security measures (such as encryption)
> unless specifically requested.
>
> If you no longer wish to receive commercial messages, you can unsubscribe
> by accessing this link: http://www.bennettjones.com/unsubscribe
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
>
> The contents of this message may contain confidential and/or privileged
> subject matter. If this message has been received in error, please contact
> the sender and delete all copies. Like other forms of communication, e-mail
> communications may be vulnerable to interception by unauthorized parties.
> If you do not wish us to communicate with you by e-mail, please notify us
> at your earliest convenience. In the absence of such notification, your
> consent is assumed. Should you choose to allow us to communicate by e-mail,
> we will not take any additional security measures (such as encryption)
> unless specifically requested.
>
> If you no longer wish to receive commercial messages, you can unsubscribe
> by accessing this link: http://www.bennettjones.com/unsubscribe
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150715/1695c1f2/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 1391 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150715/1695c1f2/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 69833 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150715/1695c1f2/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 3876 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150715/1695c1f2/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 1389 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150715/1695c1f2/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 1292 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150715/1695c1f2/attachment-0004.png>


More information about the cisco-voip mailing list