[cisco-voip] [EXTERNAL] Cost-Effective Public Certificate Authority for CUCM certificates
Charles Goldsmith
w at woka.us
Sun Apr 5 12:44:27 EDT 2020
Last I looked, SSL certs can be had for 2 years, so agreed, not as good as
3, but still.
I'm a big fan of Let's Encrypt, but putting that on the inside of your
network will be challenging, since that whole process has to be accessed
from the internet for it to work. I do hope they solve it for CUCM, CUC
and IM&P, but I don't see it happening anytime soon.
When you setup LE on the Expressway Edge, it has to be accessed by port 80
for them to validate it, no security engineer is going to let you do that
to CUCM, unless they work up a method to do some other validation.
On Sun, Apr 5, 2020 at 11:28 AM Lelio Fulgenzi <lelio at uoguelph.ca> wrote:
> Yeah. Considering how much effort we put on security, telling people to
> ignore cert warnings is probably not the best. It does take a bit more
> work. And it was ok with three year certs. Annual certs are going to make
> things a bit worse.
>
> Pushing self signed certs (or roots?) to devices will be an issue. And
> outside the scope of telephony. There are tools that can help. I believe
> JoinNow tool is one example. We use that and I believe my colleague got
> that working in a test environment.
>
> I’m hoping they have an SU that introduces let’s encrypt for v11.5. 🤞🤞
>
> Sent from my iPhone
>
> On Apr 5, 2020, at 12:00 PM, Anthony Holloway <
> avholloway+cisco-voip at gmail.com> wrote:
>
> Not to answer for Brian, but with the introduction of MRA, employees can
> run Jabber on any device they want. This makes putting private ca signed
> certs on those devices impossible or at least a giant headache.
>
> On Sat, Apr 4, 2020 at 7:30 AM Mark H. Turpin <mturpin at covene.com> wrote:
>
>> I’m using namecheap and have for years. Cheap certs from Comodo and they
>> work fine. You can do email, web, and DNS validation -
>> https://www.namecheap.com/support/knowledgebase/article.aspx/9637/68/how-can-i-complete-the-domain-control-validation-dcv-for-my-ssl-certificate
>>
>> Sorry, I missed the part on why you’re not using an internal CA for your
>> internal servers though?
>>
>> --
>> -Mark
>> ------------------------------
>> *From:* cisco-voip <cisco-voip-bounces at puck.nether.net> on behalf of
>> Anthony Holloway <avholloway+cisco-voip at gmail.com>
>> *Sent:* Monday, March 30, 2020 9:58:12 PM
>> *To:* UC Penguin <gentoo at ucpenguin.com>
>> *Cc:* cisco-voip voyp list <cisco-voip at puck.nether.net>; Jonatan Quezada
>> <jonatan.quezada at chemeketa.edu>; Adrian Arevalo-Orozco <
>> adrian.arevalo.orozco at chemeketa.edu>
>> *Subject:* Re: [cisco-voip] [EXTERNAL] Cost-Effective Public Certificate
>> Authority for CUCM certificates
>>
>> *** EXTERNAL EMAIL - DO NOT CLICK LINKS ***
>>
>> It's a good thing you don't have to prove ownership for collab certs
>> then. I have not bought through namecheap myself, but I have witnessed the
>> mistake someone has made trying to get domain validated, or EV certs for
>> their collab gear when it's not needed, and yeah, it seemed like a hassle
>> and it took a few days or more.
>>
>> On Mon, Mar 30, 2020 at 4:40 PM UC Penguin <gentoo at ucpenguin.com> wrote:
>>
>> Namecheap cert process is a PITA. Haven’t used them for UC servers but
>> helped a friend with their website after they already bought them from NC.
>>
>> You can only have it verify ownership with certain predefined by them
>> emails at your domain, or dns/web.
>>
>> Namecheap is a good domain registrar but I’d personally steer clear of
>> their other services.
>>
>> On Mar 30, 2020, at 14:57, Brian Meade <bmeade90 at vt.edu> wrote:
>>
>>
>> Namecheap seems to be the cheapest option I've found from some quick
>> looking. They seem to resell Comodo certificates but cheaper than Comodo
>> offers them.
>>
>> On Mon, Mar 30, 2020 at 2:45 PM Jonatan Quezada <
>> jonatan.quezada at chemeketa.edu> wrote:
>>
>> Im totally looking to update all of mine I think we use digi-cert,
>> pleasea let us know what you find out :)
>> Cheers!
>>
>> On Mon, Mar 30, 2020 at 11:43 AM Brian Meade <bmeade90 at vt.edu> wrote:
>>
>> Does anyone know of any public certificate authorities that have cheaper
>> multi-server SAN certificate options? I had seen some in the past that let
>> you buy a wildcard and then can submit CSR's against that still but having
>> trouble finding that now.
>>
>> Trying to avoid buying 4 multi-server certificates to cover CUCM
>> Tomcat/Unity Connection Tomcat/UCCX Tomcat/IM&P XMPP.
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>> <https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-voip&data=01%7C01%7Cmturpin%40covene.com%7C58b306e13bf84d8d65de08d7d51fd22a%7C575b0cc755204e999cb37affbf511f45%7C1&sdata=31dWW3cRzojiu8GNDZSHJbkachrakSZSm9SIDE2cljo%3D&reserved=0>
>>
>>
>>
>> --
>> During this time of remote work, There will be the need for connectivity
>> to other devices such as a cell phone. If you require assistance forwarding
>> your desk phone to a remote cell or message phone, please email with desk
>> number and where we are forwarding calls. I can do these remotely.
>>
>> Johnny Q
>> Voice Technology Analyst II
>> Chemeketa Community College
>> Johnny.Q at chemeketa.edu
>> Building 22 Room 130
>> Work 5033995294
>> Cell 5035769873
>> FAX 5033995549
>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>> <https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-voip&data=01%7C01%7Cmturpin%40covene.com%7C58b306e13bf84d8d65de08d7d51fd22a%7C575b0cc755204e999cb37affbf511f45%7C1&sdata=31dWW3cRzojiu8GNDZSHJbkachrakSZSm9SIDE2cljo%3D&reserved=0>
>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>> <https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-voip&data=01%7C01%7Cmturpin%40covene.com%7C58b306e13bf84d8d65de08d7d51fd22a%7C575b0cc755204e999cb37affbf511f45%7C1&sdata=31dWW3cRzojiu8GNDZSHJbkachrakSZSm9SIDE2cljo%3D&reserved=0>
>>
>> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20200405/58383651/attachment.htm>
More information about the cisco-voip
mailing list