[cisco-voip] [EXTERNAL] Cost-Effective Public Certificate Authority for CUCM certificates

Lelio Fulgenzi lelio at uoguelph.ca
Sun Apr 5 13:14:41 EDT 2020 

Sure, two year certs available. But browsers are making the move to not trust anything greater than 13 months if issues after a certain date. That’s the thing that has put much of system admin world up in arms.

https://www.theregister.co.uk/2020/02/20/apple_shorter_cert_lifetime/

Sent from my iPhone

On Apr 5, 2020, at 12:44 PM, Charles Goldsmith <w at woka.us<mailto:w at woka.us>> wrote:

Last I looked, SSL certs can be had for 2 years, so agreed, not as good as 3, but still.

I'm a big fan of Let's Encrypt, but putting that on the inside of your network will be challenging, since that whole process has to be accessed from the internet for it to work.  I do hope they solve it for CUCM, CUC and IM&P, but I don't see it happening anytime soon.

When you setup LE on the Expressway Edge, it has to be accessed by port 80 for them to validate it, no security engineer is going to let you do that to CUCM, unless they work up a method to do some other validation.

On Sun, Apr 5, 2020 at 11:28 AM Lelio Fulgenzi <lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>> wrote:
Yeah. Considering how much effort we put on security, telling people to ignore cert warnings is probably not the best. It does take a bit more work. And it was ok with three year certs. Annual certs are going to make things a bit worse.

Pushing self signed certs (or roots?) to devices will be an issue. And outside the scope of telephony. There are tools that can help. I believe JoinNow tool is one example. We use that and I believe my colleague got that working in a test environment.

I’m hoping they have an SU that introduces let’s encrypt for v11.5. 🤞🤞

Sent from my iPhone

On Apr 5, 2020, at 12:00 PM, Anthony Holloway <avholloway+cisco-voip at gmail.com<mailto:avholloway+cisco-voip at gmail.com>> wrote:

Not to answer for Brian, but with the introduction of MRA, employees can run Jabber on any device they want.  This makes putting private ca signed certs on those devices impossible or at least a giant headache.

On Sat, Apr 4, 2020 at 7:30 AM Mark H. Turpin <mturpin at covene.com<mailto:mturpin at covene.com>> wrote:
I’m using namecheap and have for years. Cheap certs from Comodo and they work fine. You can do email, web, and DNS validation - https://www.namecheap.com/support/knowledgebase/article.aspx/9637/68/how-can-i-complete-the-domain-control-validation-dcv-for-my-ssl-certificate

Sorry, I missed the part on why you’re not using an internal CA for your internal servers though?

--
-Mark
________________________________
From: cisco-voip <cisco-voip-bounces at puck.nether.net<mailto:cisco-voip-bounces at puck.nether.net>> on behalf of Anthony Holloway <avholloway+cisco-voip at gmail.com<mailto:avholloway%2Bcisco-voip at gmail.com>>
Sent: Monday, March 30, 2020 9:58:12 PM
To: UC Penguin <gentoo at ucpenguin.com<mailto:gentoo at ucpenguin.com>>
Cc: cisco-voip voyp list <cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>>; Jonatan Quezada <jonatan.quezada at chemeketa.edu<mailto:jonatan.quezada at chemeketa.edu>>; Adrian Arevalo-Orozco <adrian.arevalo.orozco at chemeketa.edu<mailto:adrian.arevalo.orozco at chemeketa.edu>>
Subject: Re: [cisco-voip] [EXTERNAL] Cost-Effective Public Certificate Authority for CUCM certificates

*** EXTERNAL EMAIL - DO NOT CLICK LINKS ***

It's a good thing you don't have to prove ownership for collab certs then.  I have not bought through namecheap myself, but I have witnessed the mistake someone has made trying to get domain validated, or EV certs for their collab gear when it's not needed, and yeah, it seemed like a hassle and it took a few days or more.

On Mon, Mar 30, 2020 at 4:40 PM UC Penguin <gentoo at ucpenguin.com<mailto:gentoo at ucpenguin.com>> wrote:
Namecheap cert process is a PITA. Haven’t used them for UC servers but helped a friend with their website after they already bought them from NC.

You can only have it verify ownership with certain predefined by them emails at your domain, or dns/web.

Namecheap is a good domain registrar but I’d personally steer clear of their other services.

On Mar 30, 2020, at 14:57, Brian Meade <bmeade90 at vt.edu<mailto:bmeade90 at vt.edu>> wrote:


Namecheap seems to be the cheapest option I've found from some quick looking.  They seem to resell Comodo certificates but cheaper than Comodo offers them.

On Mon, Mar 30, 2020 at 2:45 PM Jonatan Quezada <jonatan.quezada at chemeketa.edu<mailto:jonatan.quezada at chemeketa.edu>> wrote:
Im totally looking to update all of mine I think we use digi-cert, pleasea let us know what you find out :)
Cheers!

On Mon, Mar 30, 2020 at 11:43 AM Brian Meade <bmeade90 at vt.edu<mailto:bmeade90 at vt.edu>> wrote:
Does anyone know of any public certificate authorities that have cheaper multi-server SAN certificate options?  I had seen some in the past that let you buy a wildcard and then can submit CSR's against that still but having trouble finding that now.

Trying to avoid buying 4 multi-server certificates to cover CUCM Tomcat/Unity Connection Tomcat/UCCX Tomcat/IM&P XMPP.
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-voip&data=01%7C01%7Cmturpin%40covene.com%7C58b306e13bf84d8d65de08d7d51fd22a%7C575b0cc755204e999cb37affbf511f45%7C1&sdata=31dWW3cRzojiu8GNDZSHJbkachrakSZSm9SIDE2cljo%3D&reserved=0>


--
During this time of remote work, There will be the need for connectivity to other devices such as a cell phone. If you require assistance forwarding your desk phone to a remote cell or message phone, please email with desk number and where we are forwarding calls. I can do these remotely.

Johnny Q
Voice Technology Analyst II
Chemeketa Community College
Johnny.Q at chemeketa.edu<mailto:Johnny.Q at chemeketa.edu>
Building 22 Room 130
Work 5033995294
Cell 5035769873
FAX 5033995549

_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-voip&data=01%7C01%7Cmturpin%40covene.com%7C58b306e13bf84d8d65de08d7d51fd22a%7C575b0cc755204e999cb37affbf511f45%7C1&sdata=31dWW3cRzojiu8GNDZSHJbkachrakSZSm9SIDE2cljo%3D&reserved=0>
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-voip&data=01%7C01%7Cmturpin%40covene.com%7C58b306e13bf84d8d65de08d7d51fd22a%7C575b0cc755204e999cb37affbf511f45%7C1&sdata=31dWW3cRzojiu8GNDZSHJbkachrakSZSm9SIDE2cljo%3D&reserved=0>
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20200405/15460159/attachment.htm>

More information about the cisco-voip mailing list