[cisco-voip] Expressway certificate advice required.

Rajkumar Yadav rajkumaryadav at y7mail.com
Mon Mar 23 12:18:57 EDT 2015 

Thanks Dennis,
Appreciate your detail explanation.
So you mean i should perform both steps i.e on expressway C and E for traversal zone communication & on Internal server for tomcat and xmpp too.
My CUCM version is 10.5.2.10000-5 for multi san support.
Also there were few comments that godaddy certificate not compatible with UC application.
So the CN must be "cucm01.domain.com" only  when public CA sends the output for the CSR.

Regards,Raaj.      From: "Heim, Dennis" <Dennis.Heim at wwt.com>
 To: Rajkumar Yadav <rajkumaryadav at y7mail.com>; "cisco-voip at puck.nether.net" <cisco-voip at puck.nether.net> 
 Sent: Friday, 20 March 2015, 16:23
 Subject: RE: [cisco-voip] Expressway certificate advice required.
   
#yiv0374023700 #yiv0374023700 -- _filtered #yiv0374023700 {font-family:Helvetica;panose-1:2 11 6 4 2 2 2 2 2 4;} _filtered #yiv0374023700 {font-family:Wingdings;panose-1:5 0 0 0 0 0 0 0 0 0;} _filtered #yiv0374023700 {panose-1:2 4 5 3 5 4 6 3 2 4;} _filtered #yiv0374023700 {font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;} _filtered #yiv0374023700 {panose-1:0 0 0 0 0 0 0 0 0 0;}#yiv0374023700 #yiv0374023700 p.yiv0374023700MsoNormal, #yiv0374023700 li.yiv0374023700MsoNormal, #yiv0374023700 div.yiv0374023700MsoNormal {margin:0in;margin-bottom:.0001pt;font-size:12.0pt;}#yiv0374023700 a:link, #yiv0374023700 span.yiv0374023700MsoHyperlink {color:#0563C1;text-decoration:underline;}#yiv0374023700 a:visited, #yiv0374023700 span.yiv0374023700MsoHyperlinkFollowed {color:#954F72;text-decoration:underline;}#yiv0374023700 p.yiv0374023700MsoListParagraph, #yiv0374023700 li.yiv0374023700MsoListParagraph, #yiv0374023700 div.yiv0374023700MsoListParagraph {margin-top:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;font-size:12.0pt;}#yiv0374023700 span.yiv0374023700EmailStyle17 {color:#1F497D;}#yiv0374023700 .yiv0374023700MsoChpDefault {font-size:10.0pt;} _filtered #yiv0374023700 {margin:1.0in 1.0in 1.0in 1.0in;}#yiv0374023700 div.yiv0374023700WordSection1 {}#yiv0374023700 _filtered #yiv0374023700 {} _filtered #yiv0374023700 {font-family:Symbol;} _filtered #yiv0374023700 {} _filtered #yiv0374023700 {font-family:Wingdings;} _filtered #yiv0374023700 {font-family:Symbol;} _filtered #yiv0374023700 {} _filtered #yiv0374023700 {font-family:Wingdings;} _filtered #yiv0374023700 {font-family:Symbol;} _filtered #yiv0374023700 {} _filtered #yiv0374023700 {font-family:Wingdings;}#yiv0374023700 ol {margin-bottom:0in;}#yiv0374023700 ul {margin-bottom:0in;}#yiv0374023700 Traditionally, you put the public Certificate on the Expressway-E.    This would traditionally contain SANs such as: DNS:Expe.domain.com DNS:domain.com DNS: conference-2-CUPSCluster1.domain.com    If you are doing security you would have the secure profile names in there, and I believe persistent chat has some implications too.    On the expressway-C you would have certificates signed by your enterprise CA. Expressway-C and Expressway-E must be able to chain each other’s certificates so that the SIP/TLS can be established on the Unified Communication zone – aka trust chains must loaded.    Enterprise certificates are traditionally installed on your internal servers such as tomcat, etc. If using MultiSAN you must be on 10.5(2)SU2, because prior versions had a bug where the phones would reset every 7 minutes.     For your internal certificates when possible I have the following SANs inserted (depending on competency and give a crap factor of the security team: DNS:<Hostname> DNS:<FQDN> DNS:<IP-Address> IP:<IP-Address>    Remember that from a certificate warning perspective, the service such as CUPS presents the client certificate and it is up to the operating system to before the validation. All devices internally will need to trust your enterprise CA. If you have mobile devices registering internally, they will need to have the Enterprise CA installed. If you don’t have a BYOD/MDM solution, it may be easier to bite the bullet and get public certificates for your entire UC enterprise if that is important to you.    A couple of notes when generating your Certificates off your enterprise CA: ·         Make sure the certificate template you are using is set for Client AND Server Authentication ·         Make sure you are published certificate revocation lists (CRL/OCSP/AIA), that is accessible to all of your clients.. wherever they are. If you are using a Windows CA, by default it just published into LDAP/AD. This is a problem when clients are external, or not joined to the domain. The solution is to publisher to a directory on your CA and share that location via HTTP/HTTPS.    Hope this helps       Dennis Heim | Emerging Technology Architect (Collaboration) World Wide Technology, Inc. | +1 314-212-1814   "Innovation happens on project squared" --http://www.projectsquared.com    Click here to join me in my Collaboration Meeting Room          

From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net]On Behalf Of Rajkumar Yadav
Sent: Friday, March 20, 2015 4:58 AM
To: cisco-voip at puck.nether.net
Subject: [cisco-voip] Expressway certificate advice required.    Hi,    Need few clarification for the Expressway MRA and certificate.    we have bought Multi san certificate from Go Daddy for UC applications.    Step 1:    If the certificate management part is done on the CUCM publisher for Tomcat with Multi San capabilities it would include the FQDN of all CUCM ( Pub & Sub), CUC, Im & Presence and domain.com. Also i have to repeat the step for the Im & Presence server with Cup XMPP.    Step2:    Now if I'm doing the expressway (MRA) certificate management for traversal zone with Multi San capabilities, then will it include all the above FQDN and is it i don't have to perform step 1.    If i don't perform step 1, will it Jabber clients will not throw error for certificate acceptance (both inside and outside).    Please confirm is it both need to be done or just step 2 is enough ?       Regards, Raaj. 

  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150323/ef8d2642/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 3876 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150323/ef8d2642/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 1389 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150323/ef8d2642/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 1292 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150323/ef8d2642/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 1391 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150323/ef8d2642/attachment-0003.png>

More information about the cisco-voip mailing list