[cisco-voip] Digicert Wildcard certificates

NateCCIE nateccie at gmail.com
Wed Jul 15 21:35:30 EDT 2015


Most of the time wildcard certs mean you have a CSR and a private key generated by something, and then you upload the private key and the public key to lots of servers.  The application would need to be able to upload a private key and not require its own CSR. 

Cucm, unity cxn, uccx, do not support uploading a private key. 

Expressway, I think conductor do allow you to upload a private key. 

But what makes digicert really cool is you can buy the wildcard cert, then you keep reissuing a new certificate from that one purchase.

You can do this from what I understand an unlimited times.

There may be other CAs that do this.  I saw one the seemed like it was going to work, but since the CSR did not include the * as a SAN, they would not issue the cert.

Digicert with the Willard includes the *.domain.com and domain.com SANs automatically, and you can specify about 15 other SANs for each CSR/cert.

So cucm and the other apps are happy because the cert was generated using its own CSR.

Using these certs, I had one TAC case where cucm balked at the cert, but I could upload the cluster wide tomcat SAN cert via im&p. This turned out to be a problem with the domain casing not matching between all of the servers and the cert. always use domain.com and not DOMain.com and life is happy. 

I am not affiliated with digicert other than they are here in Utah also. It just makes life really easy to tell the customer to buy this one cert and O I can make all of the Cisco UC/jabber cert errors go away!

Ps. Has anyone figured out what to do with conductor wanting IP address in the SAN?

Sent from my iPhone

> On Jul 15, 2015, at 10:42 AM, Anthony Holloway <avholloway+cisco-voip at gmail.com> wrote:
> 
> I'm a little confused here.  According to this article: http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-callmanager/115957-high-level-view-ca-00.html#wildcard, and this defect ID: https://tools.cisco.com/bugsearch/bug/CSCta14114/, wild card certs are not supported.  Are we talking about the same thing here?
> 
>> On Wed, Jul 15, 2015 at 10:08 AM Eric Pedersen <PedersenE at bennettjones.com> wrote:
>> Digicert lets you put your domain and subdomains of any level as SANs. It’s great! They even generated a duplicate certificate for me with a different root CA that was supported with WebEx enabled Telepresence. We use their wildcard certificates on all of our UC servers.
>> 
>>  
>> 
>> From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Heim, Dennis
>> Sent: 15 July 2015 8:28 AM
>> To: Ian Anderson; NateCCIE; Cisco VOIP
>> 
>> 
>> Subject: Re: [cisco-voip] Digicert Wildcard certificates
>> 
>> 
>>  
>> 
>> I’ve found the hardest thing to find a cert providers that likes putting the domain as a san such as DNS=mycollab.com. Has anyone found any providers that are kosher with that? From one of the Cisco Live sessions, I was told this is needed for service discovery to function properly.
>> 
>>  
>> 
>> Dennis Heim | Emerging Technology Architect (Collaboration)
>> 
>> World Wide Technology, Inc. | +1 314-212-1814
>> 
>> 
>> 
>> <image002.png><image003.png><image004.png>
>> 
>> “There is a fine line between Wrong and Visionary. Unfortunately, you have to be a visionary to see it." – Sheldon Cooper
>> 
>>  
>> 
>> Click here to join me in my Collaboration Meeting Room
>> 
>>  
>> 
>> From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Ian Anderson
>> 
>> 
>> Sent: Wednesday, July 15, 2015 10:18 AM
>> To: NateCCIE; Cisco VOIP
>> Subject: Re: [cisco-voip] Digicert Wildcard certificates
>> 
>>  
>> 
>>  
>> 
>> On 15 July 2015 at 15:02, NateCCIE <nateccie at gmail.com> wrote:
>> 
>> Did you put all of your SANs in the digicert page?
>> 
>> z
>> 
>> I have this working on all of my expressway installs. 
>> 
>> Hi Nate, 
>> 
>>  
>> 
>> Thanks for the quick response, just for preservation in the archives for future posterity and confirmation that digicert seems fine despite the warnings in the manuals, it seemed I was running into 2 separate issues.
>> 
>>  
>> 
>> 1) I had uploaded the intermediate cert, but needed to manually download and upload the root CA
>> 
>> 2) That then got me past the TLS error, only to find that I had fat-fingered the hostname in the SAN field :-(
>> 
>>  
>> 
>> Cheers
>> 
>>  
>> 
>> Ian 
>> 
>> 
>> 
>> The contents of this message may contain confidential and/or privileged subject matter. If this message has been received in error, please contact the sender and delete all copies. Like other forms of communication, e-mail communications may be vulnerable to interception by unauthorized parties. If you do not wish us to communicate with you by e-mail, please notify us at your earliest convenience. In the absence of such notification, your consent is assumed. Should you choose to allow us to communicate by e-mail, we will not take any additional security measures (such as encryption) unless specifically requested. 
>> 
>> If you no longer wish to receive commercial messages, you can unsubscribe by accessing this link: http://www.bennettjones.com/unsubscribe
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150715/3ea81029/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 3876 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150715/3ea81029/attachment.png>


More information about the cisco-voip mailing list