[cisco-voip] Expressway cluster certificates.

Ryan Huff ryanhuff at outlook.com
Mon Oct 14 18:36:17 EDT 2019


So having more certs than need in the Truststore generally wont cause issues, it’s just one more certificate that can potentially be trusted.

As long as the new certificates are signed by the same internal CA as the one that is currently in the truststore for CUCM (all nodes), then you shouldn’t need to have the identity certificates in the truststore.

One reason that may have been done is because the original person wasn’t able to get CUCM to properly recognize the internal CA and trust certificates signed by it.

This could happen if the CA chain was uploaded incorrectly. The root should be uploaded first, then any intermediates.

Sent from my iPhone

On Oct 14, 2019, at 17:40, ROZA, Ariel <Ariel.ROZA at la.logicalis.com> wrote:


Hi Ryan,

Both Expressway servers are signed by the internal CA. I have uploaded the root and intermediate certificates, too.
But I am renewing the certificates on an existing cluster, and whoever instelled it, they manually added the ExpC certs into tomcat-trust.

So, I understand that it would be safe to remove the ExpC certs from tomcat-trust and everything would be working fine?
What about the use the cluster name/don´t use the cluster name contradiction?

Thanks,

Ariel.

De: Ryan Huff <ryanhuff at outlook.com>
Enviado el: lunes, 14 de octubre de 2019 18:14
Para: ROZA, Ariel <Ariel.ROZA at LA.LOGICALIS.COM>
CC: cisco-voip (cisco-voip at puck.nether.net) <cisco-voip at puck.nether.net>
Asunto: Re: [cisco-voip] Expressway cluster certificates.

Are the expressway-C server using self-signed certificates (I doubt it because you said they are multi-san)?

Generally, CUCM doesn’t need to trust the identity certificate (unless it is self signed). In all other cases, CUCM needs to trust the certificate authority the signed the expressway-c certificates.

If for example, GoDaddy signed the SSL certificates for the Expressway-C, CUCM just needs to trust the GoDaddy certificate authority chain.
Sent from my iPhone


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20191014/7f84240a/attachment.htm>


More information about the cisco-voip mailing list