[cisco-voip] Expressway certificate advice required.

Heim, Dennis Dennis.Heim at wwt.com
Fri Mar 20 08:23:21 EDT 2015 

Traditionally, you put the public Certificate on the Expressway-E.

This would traditionally contain SANs such as:
DNS:Expe.domain.com
DNS:domain.com
DNS: conference-2-CUPSCluster1.domain.com

If you are doing security you would have the secure profile names in there, and I believe persistent chat has some implications too.

On the expressway-C you would have certificates signed by your enterprise CA. Expressway-C and Expressway-E must be able to chain each other’s certificates so that the SIP/TLS can be established on the Unified Communication zone – aka trust chains must loaded.

Enterprise certificates are traditionally installed on your internal servers such as tomcat, etc. If using MultiSAN you must be on 10.5(2)SU2, because prior versions had a bug where the phones would reset every 7 minutes.

For your internal certificates when possible I have the following SANs inserted (depending on competency and give a crap factor of the security team:
DNS:<Hostname>
DNS:<FQDN>
DNS:<IP-Address>
IP:<IP-Address>

Remember that from a certificate warning perspective, the service such as CUPS presents the client certificate and it is up to the operating system to before the validation. All devices internally will need to trust your enterprise CA. If you have mobile devices registering internally, they will need to have the Enterprise CA installed. If you don’t have a BYOD/MDM solution, it may be easier to bite the bullet and get public certificates for your entire UC enterprise if that is important to you.

A couple of notes when generating your Certificates off your enterprise CA:

·          Make sure the certificate template you are using is set for Client AND Server Authentication

·          Make sure you are published certificate revocation lists (CRL/OCSP/AIA), that is accessible to all of your clients.. wherever they are. If you are using a Windows CA, by default it just published into LDAP/AD. This is a problem when clients are external, or not joined to the domain. The solution is to publisher to a directory on your CA and share that location via HTTP/HTTPS.

Hope this helps


Dennis Heim | Emerging Technology Architect (Collaboration)
World Wide Technology, Inc. | +1 314-212-1814
[twitter]<https://twitter.com/CollabSensei>
[chat]<xmpp:dennis.heim at wwt.com>[Phone]<tel:+13142121814>[video]<sip:dennis.heim at wwt.com>
"Innovation happens on project squared" -- http://www.projectsquared.com<http://www.projectsquared.com/>

Click here to join me in my Collaboration Meeting Room<https://wwt.webex.com/meet/dennis.heim>



From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Rajkumar Yadav
Sent: Friday, March 20, 2015 4:58 AM
To: cisco-voip at puck.nether.net
Subject: [cisco-voip] Expressway certificate advice required.

Hi,

Need few clarification for the Expressway MRA and certificate.

we have bought Multi san certificate from Go Daddy for UC applications.

Step 1:

If the certificate management part is done on the CUCM publisher for Tomcat with Multi San capabilities it would include the FQDN of all CUCM ( Pub & Sub), CUC, Im & Presence and domain.com.
Also i have to repeat the step for the Im & Presence server with Cup XMPP.

Step2:

Now if I'm doing the expressway (MRA) certificate management for traversal zone with Multi San capabilities, then will it include all the above FQDN and is it i don't have to perform step 1.

If i don't perform step 1, will it Jabber clients will not throw error for certificate acceptance (both inside and outside).

Please confirm is it both need to be done or just step 2 is enough ?


Regards,
Raaj.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150320/5b8e06f3/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 3876 bytes
Desc: image001.png
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150320/5b8e06f3/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 1389 bytes
Desc: image002.png
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150320/5b8e06f3/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 1292 bytes
Desc: image003.png
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150320/5b8e06f3/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 1391 bytes
Desc: image004.png
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150320/5b8e06f3/attachment-0003.png>

More information about the cisco-voip mailing list