[cisco-voip] collab edge dns/SSL cert

Matthew Loraditch MLoraditch at heliontechnologies.com
Mon Jun 1 10:03:08 EDT 2015


It could be depending on what exactly was ordered, but I know godaddy supports having the domain as a SAN. I have it on certs I’ve bought in the past month for expressway and it’s actually supposed to be there:

http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-5/Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X8-5-1.pdf

See page 8 and 9. You can prefix collab-edge to the domain if you like, but if you are doing XMPP federation you need it anyway.




Matthew G. Loraditch – CCNP-Voice, CCNA-R&S, CCDA
Network Engineer
Direct Voice: 443.541.1518

Facebook<https://www.facebook.com/heliontech?ref=hl> | Twitter<https://twitter.com/HelionTech> | LinkedIn<https://www.linkedin.com/company/helion-technologies?trk=top_nav_home> | G+<https://plus.google.com/+Heliontechnologies/posts>

From: Chris Ward (chrward) [mailto:chrward at cisco.com]
Sent: Monday, June 1, 2015 9:52 AM
To: Matthew Loraditch; Ed Leatherman; Cisco VOIP
Subject: RE: [cisco-voip] collab edge dns/SSL cert

I think the problem is requesting your root domain. Some issuers won’t issue root domain certs and the ones that do call them wildcard certs as they cover an entire domain (support for wildcard certs are somewhat limited).

For example, if you were to go to https://cisco.com/ rather than https://www.cisco.com/ you would find that the first has an invalid SSL cert as cisco doesn’t have a root domain cert.

For the very security savvy, it is considered to be inappropriate to use domain-level certs.

Go with just the hostname of the Expressway and potentially an actual alternate hostname if you ever needed to provide an alternate DNS entry to reach the same Expressway. In either case, drop domain.edu. You don’t need it and I suspect that’s that GoDaddy is complaining about.

+Chris
TME - MediaSense and Unity Connection

From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Matthew Loraditch
Sent: Monday, June 01, 2015 9:44 AM
To: Ed Leatherman; Cisco VOIP
Subject: Re: [cisco-voip] collab edge dns/SSL cert

https://www.sslshopper.com/csr-decoder.html

Try dumping the csr in there and see if you see something unexpected.

Matthew G. Loraditch – CCNP-Voice, CCNA-R&S, CCDA
Network Engineer
Direct Voice: 443.541.1518
Facebook<https://www.facebook.com/heliontech?ref=hl> | Twitter<https://twitter.com/HelionTech> | LinkedIn<https://www.linkedin.com/company/helion-technologies?trk=top_nav_home> | G+<https://plus.google.com/+Heliontechnologies/posts>

From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Ed Leatherman
Sent: Monday, June 1, 2015 9:41 AM
To: Cisco VOIP
Subject: [cisco-voip] collab edge dns/SSL cert

Hello everyone!

I'm getting an error kicked back from GoDaddy trying to sign my expressway-e cert, looking for a sanity check here.

I'm setting up the external side as a cluster (of 1 currently), I'd like for my users to be able to sign in as username at domain.edu<mailto:username at domain.edu> for MRA.

dns:
expressway-e is expe-cluster1-node1.domain.edu<http://expe-cluster1-node1.domain.edu>
srv = _collab-edge._tls.domain.edu<http://tls.domain.edu> , sips._tcp.domain.edu<http://tcp.domain.edu> both point to the expe-cluster1-node1

exp-e cluster name is domain.edu<http://domain.edu>

on my CSR i have it set to generate a SAN for FQDN of expressway cluster plus FQDN of this peer, so:
DNS:expe-cluster1-node1.domain.edu<http://expe-cluster1-node1.domain.edu>
DNS:domain.edu<http://domain.edu>

GoDaddy kicks back an error saying "You can not add a SAN that is the same as the domain you are already using."

Is my dns/SAN configuration incorrect or is this a deficiency with godaddy (standard UCC cert)? Or did I miss the boat completely (totally possible!)





--
Ed Leatherman
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150601/16e1a63c/attachment.html>


More information about the cisco-voip mailing list