[cisco-voip] Digicert Wildcard certificates

Justin Steinberg jsteinberg at gmail.com
Tue Jul 21 17:55:12 EDT 2015


Ya sorry I meant the parent domain.

The issue ended up being that the  Incommon wasn't setup right.   Their 800
tech support fixed it in like 40 seconds which was pretty cool.

I believe the 10.5 systems add the parent domain, or maybe it is just
Multiserver certs.

Justin
Justin,

TLDs are like .com, .net, .org , etc.  I think you meant parent domain.

Also, is that a feature of the multiserver cert, because I don't see CER
for example putting the parent domain in the CSR.

On Tue, Jul 21, 2015 at 10:24 AM Justin Steinberg <jsteinberg at gmail.com>
wrote:

> While we are on the topic of certs, has anyone had issues with certain CAs
> not allowing top level domain as a SAN (e.g. cisco.com) ?
>
> GoDaddy would complain in the UI that you shouldn't have a top level
> domain as a SAN but would still sign the cert.   I'm having a problem know
> with Internet2/Incommon where it won't let me put a top level domain in the
> cert as a SAN.  It just won't take the CSR.
>
> Justin
>
> On Tue, Jul 21, 2015 at 8:16 AM, NateCCIE <nateccie at gmail.com> wrote:
>
>> I think it’s 15 SANS plus *.domain.com and domain.com
>>
>>
>>
>> Pricing is at https://www.digicert.com/wildcard-ssl-certificates.htm
>>
>>
>>
>>
>>
>> *From:* cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] *On
>> Behalf Of *Anthony Holloway
>> *Sent:* Monday, July 20, 2015 11:49 PM
>> *To:* Charles Goldsmith; Ian Anderson
>> *Cc:* Cisco VOIP
>>
>> *Subject:* Re: [cisco-voip] Digicert Wildcard certificates
>>
>>
>>
>> That's great to hear about digicert. I just went through a rough time
>> with Comodo trying to get multiserver certs and my CNAMEs in the SAN field.
>> How many SAN entries does digicert limit you to and at what price per year?
>>
>>
>>
>> On Mon, Jul 20, 2015 at 11:19 AM Charles Goldsmith <wokka at justfamily.org>
>> wrote:
>>
>> One thing of note, Digicert works very well with all of our UC apps with
>> their UC certificate.  Add all of your server names as SAN's, as well as
>> the domain name, and just duplicate the certificate for each app, changing
>> the CN.  It works well and also Digicert has great support.
>>
>>
>>
>> On Sun, Jul 19, 2015 at 4:27 AM, Ian Anderson <ia at andersoi.co.uk> wrote:
>>
>> Hi Nate,
>>
>>
>>
>> I think that the concern of using wildcards generaly comes from the
>> security and compliance folks in that if the private key of any of the
>> servers was to be compromised then the resulting public and private keys
>> could be used to impersonate any subdomain, e.g e-payments.domain.com..
>>
>>
>>
>> That said, as long as the customer is aware of the risk then the digicert
>> is a fantastic option, although a lot of these issues go away in 10.5.
>>
>>
>>
>> The only app I've had it completely throw a wobble on so far is UCCX 9.0
>> as this was checking the CN on certificate upload and didn't like * even
>> though the server name as in the SAN.
>>
>>
>>
>> Cheers
>>
>>
>>
>> Ian
>>
>>
>>
>> On 16 July 2015 at 02:35, NateCCIE <nateccie at gmail.com> wrote:
>>
>> Most of the time wildcard certs mean you have a CSR and a private key
>> generated by something, and then you upload the private key and the public
>> key to lots of servers.  The application would need to be able to upload a
>> private key and not require its own CSR.
>>
>>
>>
>> Cucm, unity cxn, uccx, do not support uploading a private key.
>>
>>
>>
>> Expressway, I think conductor do allow you to upload a private key.
>>
>>
>>
>> But what makes digicert really cool is you can buy the wildcard cert,
>> then you keep reissuing a new certificate from that one purchase.
>>
>>
>>
>> You can do this from what I understand an unlimited times.
>>
>>
>>
>> There may be other CAs that do this.  I saw one the seemed like it was
>> going to work, but since the CSR did not include the * as a SAN, they would
>> not issue the cert.
>>
>>
>>
>> Digicert with the Willard includes the *.domain.com and domain.com SANs
>> automatically, and you can specify about 15 other SANs for each CSR/cert.
>>
>>
>>
>> So cucm and the other apps are happy because the cert was generated using
>> its own CSR.
>>
>>
>>
>> Using these certs, I had one TAC case where cucm balked at the cert, but
>> I could upload the cluster wide tomcat SAN cert via im&p. This turned out
>> to be a problem with the domain casing not matching between all of the
>> servers and the cert. always use domain.com and not DOMain.com and life
>> is happy.
>>
>>
>>
>> I am not affiliated with digicert other than they are here in Utah also.
>> It just makes life really easy to tell the customer to buy this one cert
>> and O I can make all of the Cisco UC/jabber cert errors go away!
>>
>>
>>
>> Ps. Has anyone figured out what to do with conductor wanting IP address
>> in the SAN?
>>
>> Sent from my iPhone
>>
>>
>> On Jul 15, 2015, at 10:42 AM, Anthony Holloway <
>> avholloway+cisco-voip at gmail.com> wrote:
>>
>> I'm a little confused here.  According to this article:
>> http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-callmanager/115957-high-level-view-ca-00.html#wildcard,
>> and this defect ID: https://tools.cisco.com/bugsearch/bug/CSCta14114/,
>> wild card certs are not supported.  Are we talking about the same thing
>> here?
>>
>>
>>
>> On Wed, Jul 15, 2015 at 10:08 AM Eric Pedersen <
>> PedersenE at bennettjones.com> wrote:
>>
>> Digicert lets you put your domain and subdomains of any level as SANs.
>> It’s great! They even generated a duplicate certificate for me with a
>> different root CA that was supported with WebEx enabled Telepresence. We
>> use their wildcard certificates on all of our UC servers.
>>
>>
>>
>> *From:* cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] *On
>> Behalf Of *Heim, Dennis
>> *Sent:* 15 July 2015 8:28 AM
>> *To:* Ian Anderson; NateCCIE; Cisco VOIP
>>
>>
>> *Subject:* Re: [cisco-voip] Digicert Wildcard certificates
>>
>>
>>
>> I’ve found the hardest thing to find a cert providers that likes putting
>> the domain as a san such as DNS=mycollab.com. Has anyone found any
>> providers that are kosher with that? From one of the Cisco Live sessions, I
>> was told this is needed for service discovery to function properly.
>>
>>
>>
>> *Dennis Heim | Emerging Technology Architect (Collaboration)*
>>
>> World Wide Technology, Inc. | +1 314-212-1814
>>
>> [image: twitter] <https://twitter.com/CollabSensei>
>>
>> <image002.png><image003.png> <+13142121814><image004.png>
>>
>> “There is a fine line between Wrong and Visionary. Unfortunately, you
>> have to be a visionary to see it." – Sheldon Cooper
>>
>>
>>
>> Click here to join me in my Collaboration Meeting Room
>> <https://wwt.webex.com/meet/dennis.heim>
>>
>>
>>
>> *From:* cisco-voip [mailto:cisco-voip-bounces at puck.nether.net
>> <cisco-voip-bounces at puck.nether.net>] *On Behalf Of *Ian Anderson
>>
>>
>> *Sent:* Wednesday, July 15, 2015 10:18 AM
>> *To:* NateCCIE; Cisco VOIP
>> *Subject:* Re: [cisco-voip] Digicert Wildcard certificates
>>
>>
>>
>>
>>
>> On 15 July 2015 at 15:02, NateCCIE <nateccie at gmail.com> wrote:
>>
>> Did you put all of your SANs in the digicert page?
>>
>> z
>>
>> I have this working on all of my expressway installs.
>>
>> Hi Nate,
>>
>>
>>
>> Thanks for the quick response, just for preservation in the archives for
>> future posterity and confirmation that digicert seems fine despite the
>> warnings in the manuals, it seemed I was running into 2 separate issues.
>>
>>
>>
>> 1) I had uploaded the intermediate cert, but needed to manually download
>> and upload the root CA
>>
>> 2) That then got me past the TLS error, only to find that I had
>> fat-fingered the hostname in the SAN field :-(
>>
>>
>>
>> Cheers
>>
>>
>>
>> Ian
>>
>>
>>
>> The contents of this message may contain confidential and/or privileged
>> subject matter. If this message has been received in error, please contact
>> the sender and delete all copies. Like other forms of communication, e-mail
>> communications may be vulnerable to interception by unauthorized parties.
>> If you do not wish us to communicate with you by e-mail, please notify us
>> at your earliest convenience. In the absence of such notification, your
>> consent is assumed. Should you choose to allow us to communicate by e-mail,
>> we will not take any additional security measures (such as encryption)
>> unless specifically requested.
>>
>> If you no longer wish to receive commercial messages, you can unsubscribe
>> by accessing this link: http://www.bennettjones.com/unsubscribe
>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>>
>>
>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>>
>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150721/9cd94fb5/attachment.html>


More information about the cisco-voip mailing list