[cisco-voip] certificates and SANs - what's really needed in there?
Lelio Fulgenzi
lelio at uoguelph.ca
Thu Jun 9 12:15:13 EDT 2016
Our lab expressway cluster is on it's way to be completed... only thing missing is the certificates.
I read up a little on the archives, but still not so clear.
We're going to be getting individual certs for each Exp-C and Exp-E member (a cluster of 2xC, 2xE).
I don't believe I need any SANs for the Exp-C. But I'm not sure if I need the cluster name in the certificate.
* CERT 1: CN=exp-c-a.acme.com, SAN=exp-c-cluster.acme.com
* CERT 2: CN= exp-c-b.acme.com, SAN=exp-c-cluster.acme.com
For the Exp-E, I'd like to add the hostname for the outside interface, as well as the CNAME for the services domain, and the CNAME/ALIAS I'm using for the collab-edge resolution.
* CERT 1: CN=exp-e-a.acme.com, SAN=exp-e-cluster.acme.com, exp-e-a-out.acme.com, myjabber.acme.com, proxy-a.acme.com
* CERT 2: CN= exp-e-b.acme.com, SAN=exp-e-cluster.acme.com, exp-e-b-out.acme.com, myjabber.acme.com, proxy-b.acme.com
In our use case, _collab-edge SRV records resolve to proxy-a and proxy-b, and those resolve to the exp-e-a-out and exp-e-b-out interfaces respectively.
Anything special to get off-prem hardware devices like the 88/98xx , DX and SX to work properly via MRA?
---
Lelio Fulgenzi, B.A.
Senior Analyst, Network Infrastructure
Computing and Communications Services (CCS)
University of Guelph
519‐824‐4120 Ext 56354
lelio at uoguelph.ca
www.uoguelph.ca/ccs
Room 037, Animal Science and Nutrition Building
Guelph, Ontario, N1G 2W1
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20160609/d86f365f/attachment.html>
More information about the cisco-voip
mailing list