[cisco-voip] multi-SAN / server certificates vs individual certs (CUCM/IMP)

Charles Goldsmith wokka at justfamily.org
Thu Jun 28 11:42:09 EDT 2018 

No problem, thanks for adding your insight.

There are a couple of other providers that do duplication as well, they
just call it something different, but I haven't worked with them directly.
I'm told godaddy now supports it, but they only sell the SANs in blocks of
5.


On Thu, Jun 28, 2018 at 10:39 AM Bill Talley <btalley at gmail.com> wrote:

> Scrolling through my phone and inadvertently replied to Charles email when
> it popped up instead of Lelio’s.  Sorry for duplicating what Charles said 🤪
>
>
> Sent from an iOS device with very tiny touchscreen input keys.  Please
> excude my typtos.
>
> On Jun 28, 2018, at 10:24 AM, Charles Goldsmith <wokka at justfamily.org>
> wrote:
>
> Generate a CSR from each server type (CUCM, CUC, UCCX, and each
> expressway) and load all hostnames into each server, including your cluster
> name of the expressway and the domain name.  At Digicert, load your csr,
> make sure the Common name matches the CSR that the server came from.  Once
> you have one cluster done, go back into the order and request duplicate,
> load your 2nd csr, check the common name and issue the duplicate.  Rinse
> and repeat for all systems.
>
> Expressway clusters do not support multi-san, so just duplicate for each
> node.
>
> On Thu, Jun 28, 2018 at 10:17 AM Lelio Fulgenzi <lelio at uoguelph.ca> wrote:
>
>> Wait. What? I understand how the internals of CUCM and IMP can distribute
>> one multi-san cert (built on the publisher’s CSR) to each CUCM and IMP node
>> and uses private keys to ensure they load, but….
>>
>>
>>
>> How the heck do you install a cert that was built on the pub’s CSR into
>> CUC and UCCx? Or Expressway for that matter?
>>
>>
>>
>> We are a digicert client, so if you have specific breadcrumbs / drop down
>> options, feel free to share.
>>
>>
>>
>> Lelio
>>
>>
>>
>>
>>
>>
>>
>> ---
>>
>> *Lelio Fulgenzi, B.A.* | Senior Analyst
>>
>> Computing and Communications Services | University of Guelph
>>
>> Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON |
>> N1G 2W1
>>
>> 519-824-4120 Ext. 56354 <(519)%20824-4120> | lelio at uoguelph.ca
>>
>>
>>
>> www.uoguelph.ca/ccs | @UofGCCS on Instagram, Twitter and Facebook
>>
>>
>>
>> [image: University of Guelph Cornerstone with Improve Life tagline]
>>
>>
>>
>> *From:* Charles Goldsmith <wokka at justfamily.org>
>> *Sent:* Thursday, June 28, 2018 10:40 AM
>> *To:* Lelio Fulgenzi <lelio at uoguelph.ca>
>> *Cc:* voyp list, cisco-voip (cisco-voip at puck.nether.net) <
>> cisco-voip at puck.nether.net>
>> *Subject:* Re: [cisco-voip] multi-SAN / server certificates vs
>> individual certs (CUCM/IMP)
>>
>>
>>
>> I've used multi-san certs on at least a dozen installs and have had no
>> issues at all.  In fact, with a good SSL provider, you can use the same
>> Multi-SAN on CUCM, CUC, UCCX, Expressways.  I like how Digicert does it,
>> just duplicate the cert and make sure all of the hostnames are listed in
>> the SAN.
>>
>>
>>
>>
>>
>> On Thu, Jun 28, 2018 at 9:37 AM Lelio Fulgenzi <lelio at uoguelph.ca> wrote:
>>
>>
>> We're in the process of installing signed certs and we have the choice
>> between multi-SAN cert with the publisher CSR and rely on the internals to
>> have that cert distributed to the subs and the imp nodes -OR- go with
>> individual certs.
>>
>> It's a last minute thing, so I still need to do some research, but I'm
>> wondering what people have been doing out there. We're less concerned with
>> cost than we are future stability. I know that this multi-san support is
>> recent with v10.x - have they ironed out the bugs? We're going with 11.5.
>>
>> Thoughts?
>>
>>
>> ---
>> Lelio Fulgenzi, B.A. | Senior Analyst
>> Computing and Communications Services | University of Guelph
>> Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON |
>> N1G 2W1
>> 519-824-4120 Ext. 56354 <(519)%20824-4120> | lelio at uoguelph.ca<mailto:
>> lelio at uoguelph.ca>
>>
>> www.uoguelph.ca/ccs<http://www.uoguelph.ca/ccs> | @UofGCCS on Instagram,
>> Twitter and Facebook
>>
>> [University of Guelph Cornerstone with Improve Life tagline]
>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20180628/6ca7957e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 1297 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20180628/6ca7957e/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 1297 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20180628/6ca7957e/attachment-0001.png>

More information about the cisco-voip mailing list