[cisco-voip] Digicert Wildcard certificates

Justin Steinberg jsteinberg at gmail.com
Tue Jul 21 11:24:29 EDT 2015


While we are on the topic of certs, has anyone had issues with certain CAs
not allowing top level domain as a SAN (e.g. cisco.com) ?

GoDaddy would complain in the UI that you shouldn't have a top level domain
as a SAN but would still sign the cert.   I'm having a problem know with
Internet2/Incommon where it won't let me put a top level domain in the cert
as a SAN.  It just won't take the CSR.

Justin

On Tue, Jul 21, 2015 at 8:16 AM, NateCCIE <nateccie at gmail.com> wrote:

> I think it’s 15 SANS plus *.domain.com and domain.com
>
>
>
> Pricing is at https://www.digicert.com/wildcard-ssl-certificates.htm
>
>
>
>
>
> *From:* cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] *On Behalf
> Of *Anthony Holloway
> *Sent:* Monday, July 20, 2015 11:49 PM
> *To:* Charles Goldsmith; Ian Anderson
> *Cc:* Cisco VOIP
>
> *Subject:* Re: [cisco-voip] Digicert Wildcard certificates
>
>
>
> That's great to hear about digicert. I just went through a rough time with
> Comodo trying to get multiserver certs and my CNAMEs in the SAN field. How
> many SAN entries does digicert limit you to and at what price per year?
>
>
>
> On Mon, Jul 20, 2015 at 11:19 AM Charles Goldsmith <wokka at justfamily.org>
> wrote:
>
> One thing of note, Digicert works very well with all of our UC apps with
> their UC certificate.  Add all of your server names as SAN's, as well as
> the domain name, and just duplicate the certificate for each app, changing
> the CN.  It works well and also Digicert has great support.
>
>
>
> On Sun, Jul 19, 2015 at 4:27 AM, Ian Anderson <ia at andersoi.co.uk> wrote:
>
> Hi Nate,
>
>
>
> I think that the concern of using wildcards generaly comes from the
> security and compliance folks in that if the private key of any of the
> servers was to be compromised then the resulting public and private keys
> could be used to impersonate any subdomain, e.g e-payments.domain.com..
>
>
>
> That said, as long as the customer is aware of the risk then the digicert
> is a fantastic option, although a lot of these issues go away in 10.5.
>
>
>
> The only app I've had it completely throw a wobble on so far is UCCX 9.0
> as this was checking the CN on certificate upload and didn't like * even
> though the server name as in the SAN.
>
>
>
> Cheers
>
>
>
> Ian
>
>
>
> On 16 July 2015 at 02:35, NateCCIE <nateccie at gmail.com> wrote:
>
> Most of the time wildcard certs mean you have a CSR and a private key
> generated by something, and then you upload the private key and the public
> key to lots of servers.  The application would need to be able to upload a
> private key and not require its own CSR.
>
>
>
> Cucm, unity cxn, uccx, do not support uploading a private key.
>
>
>
> Expressway, I think conductor do allow you to upload a private key.
>
>
>
> But what makes digicert really cool is you can buy the wildcard cert, then
> you keep reissuing a new certificate from that one purchase.
>
>
>
> You can do this from what I understand an unlimited times.
>
>
>
> There may be other CAs that do this.  I saw one the seemed like it was
> going to work, but since the CSR did not include the * as a SAN, they would
> not issue the cert.
>
>
>
> Digicert with the Willard includes the *.domain.com and domain.com SANs
> automatically, and you can specify about 15 other SANs for each CSR/cert.
>
>
>
> So cucm and the other apps are happy because the cert was generated using
> its own CSR.
>
>
>
> Using these certs, I had one TAC case where cucm balked at the cert, but I
> could upload the cluster wide tomcat SAN cert via im&p. This turned out to
> be a problem with the domain casing not matching between all of the servers
> and the cert. always use domain.com and not DOMain.com and life is happy.
>
>
>
> I am not affiliated with digicert other than they are here in Utah also.
> It just makes life really easy to tell the customer to buy this one cert
> and O I can make all of the Cisco UC/jabber cert errors go away!
>
>
>
> Ps. Has anyone figured out what to do with conductor wanting IP address in
> the SAN?
>
> Sent from my iPhone
>
>
> On Jul 15, 2015, at 10:42 AM, Anthony Holloway <
> avholloway+cisco-voip at gmail.com> wrote:
>
> I'm a little confused here.  According to this article:
> http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-callmanager/115957-high-level-view-ca-00.html#wildcard,
> and this defect ID: https://tools.cisco.com/bugsearch/bug/CSCta14114/,
> wild card certs are not supported.  Are we talking about the same thing
> here?
>
>
>
> On Wed, Jul 15, 2015 at 10:08 AM Eric Pedersen <PedersenE at bennettjones.com>
> wrote:
>
> Digicert lets you put your domain and subdomains of any level as SANs.
> It’s great! They even generated a duplicate certificate for me with a
> different root CA that was supported with WebEx enabled Telepresence. We
> use their wildcard certificates on all of our UC servers.
>
>
>
> *From:* cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] *On Behalf
> Of *Heim, Dennis
> *Sent:* 15 July 2015 8:28 AM
> *To:* Ian Anderson; NateCCIE; Cisco VOIP
>
>
> *Subject:* Re: [cisco-voip] Digicert Wildcard certificates
>
>
>
> I’ve found the hardest thing to find a cert providers that likes putting
> the domain as a san such as DNS=mycollab.com. Has anyone found any
> providers that are kosher with that? From one of the Cisco Live sessions, I
> was told this is needed for service discovery to function properly.
>
>
>
> *Dennis Heim | Emerging Technology Architect (Collaboration)*
>
> World Wide Technology, Inc. | +1 314-212-1814
>
> [image: twitter] <https://twitter.com/CollabSensei>
>
> <image002.png><image003.png> <+13142121814><image004.png>
>
> “There is a fine line between Wrong and Visionary. Unfortunately, you have
> to be a visionary to see it." – Sheldon Cooper
>
>
>
> Click here to join me in my Collaboration Meeting Room
> <https://wwt.webex.com/meet/dennis.heim>
>
>
>
> *From:* cisco-voip [mailto:cisco-voip-bounces at puck.nether.net
> <cisco-voip-bounces at puck.nether.net>] *On Behalf Of *Ian Anderson
>
>
> *Sent:* Wednesday, July 15, 2015 10:18 AM
> *To:* NateCCIE; Cisco VOIP
> *Subject:* Re: [cisco-voip] Digicert Wildcard certificates
>
>
>
>
>
> On 15 July 2015 at 15:02, NateCCIE <nateccie at gmail.com> wrote:
>
> Did you put all of your SANs in the digicert page?
>
> z
>
> I have this working on all of my expressway installs.
>
> Hi Nate,
>
>
>
> Thanks for the quick response, just for preservation in the archives for
> future posterity and confirmation that digicert seems fine despite the
> warnings in the manuals, it seemed I was running into 2 separate issues.
>
>
>
> 1) I had uploaded the intermediate cert, but needed to manually download
> and upload the root CA
>
> 2) That then got me past the TLS error, only to find that I had
> fat-fingered the hostname in the SAN field :-(
>
>
>
> Cheers
>
>
>
> Ian
>
>
>
> The contents of this message may contain confidential and/or privileged
> subject matter. If this message has been received in error, please contact
> the sender and delete all copies. Like other forms of communication, e-mail
> communications may be vulnerable to interception by unauthorized parties.
> If you do not wish us to communicate with you by e-mail, please notify us
> at your earliest convenience. In the absence of such notification, your
> consent is assumed. Should you choose to allow us to communicate by e-mail,
> we will not take any additional security measures (such as encryption)
> unless specifically requested.
>
> If you no longer wish to receive commercial messages, you can unsubscribe
> by accessing this link: http://www.bennettjones.com/unsubscribe
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150721/cc9af5a4/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 3876 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150721/cc9af5a4/attachment.png>


More information about the cisco-voip mailing list