[cisco-voip] [External] Re: [EXTERNAL] Cost-Effective Public Certificate Authority for CUCM certificates

Hunter Fuller hf0002 at uah.edu
Sun Apr 5 13:23:09 EDT 2020 

A couple of things:

- Let’s Encrypt doesn’t require accessing the server from the Internet. (It
supports a DNS based validation, too.)
- As far as having port 80 exposed to CUCM - seems pretty safe. It doesn’t
do anything but serve HTTPS redirects anyway.

On Sun, Apr 5, 2020 at 11:45 Charles Goldsmith <w at woka.us> wrote:

> Last I looked, SSL certs can be had for 2 years, so agreed, not as good as
> 3, but still.
>
> I'm a big fan of Let's Encrypt, but putting that on the inside of your
> network will be challenging, since that whole process has to be accessed
> from the internet for it to work.  I do hope they solve it for CUCM, CUC
> and IM&P, but I don't see it happening anytime soon.
>
> When you setup LE on the Expressway Edge, it has to be accessed by port 80
> for them to validate it, no security engineer is going to let you do that
> to CUCM, unless they work up a method to do some other validation.
>
> On Sun, Apr 5, 2020 at 11:28 AM Lelio Fulgenzi <lelio at uoguelph.ca> wrote:
>
>> Yeah. Considering how much effort we put on security, telling people to
>> ignore cert warnings is probably not the best. It does take a bit more
>> work. And it was ok with three year certs. Annual certs are going to make
>> things a bit worse.
>>
>> Pushing self signed certs (or roots?) to devices will be an issue. And
>> outside the scope of telephony. There are tools that can help. I believe
>> JoinNow tool is one example. We use that and I believe my colleague got
>> that working in a test environment.
>>
>> I’m hoping they have an SU that introduces let’s encrypt for v11.5. 🤞🤞
>>
>> Sent from my iPhone
>>
>> On Apr 5, 2020, at 12:00 PM, Anthony Holloway <
>> avholloway+cisco-voip at gmail.com> wrote:
>>
>> Not to answer for Brian, but with the introduction of MRA, employees can
>> run Jabber on any device they want.  This makes putting private ca signed
>> certs on those devices impossible or at least a giant headache.
>>
>> On Sat, Apr 4, 2020 at 7:30 AM Mark H. Turpin <mturpin at covene.com> wrote:
>>
>>> I’m using namecheap and have for years. Cheap certs from Comodo and they
>>> work fine. You can do email, web, and DNS validation -
>>> https://www.namecheap.com/support/knowledgebase/article.aspx/9637/68/how-can-i-complete-the-domain-control-validation-dcv-for-my-ssl-certificate
>>>
>>> Sorry, I missed the part on why you’re not using an internal CA for your
>>> internal servers though?
>>>
>>> --
>>> -Mark
>>> ------------------------------
>>> *From:* cisco-voip <cisco-voip-bounces at puck.nether.net> on behalf of
>>> Anthony Holloway <avholloway+cisco-voip at gmail.com>
>>> *Sent:* Monday, March 30, 2020 9:58:12 PM
>>> *To:* UC Penguin <gentoo at ucpenguin.com>
>>> *Cc:* cisco-voip voyp list <cisco-voip at puck.nether.net>; Jonatan
>>> Quezada <jonatan.quezada at chemeketa.edu>; Adrian Arevalo-Orozco <
>>> adrian.arevalo.orozco at chemeketa.edu>
>>> *Subject:* Re: [cisco-voip] [EXTERNAL] Cost-Effective Public
>>> Certificate Authority for CUCM certificates
>>>
>>> *** EXTERNAL EMAIL - DO NOT CLICK LINKS ***
>>>
>>> It's a good thing you don't have to prove ownership for collab certs
>>> then.  I have not bought through namecheap myself, but I have witnessed the
>>> mistake someone has made trying to get domain validated, or EV certs for
>>> their collab gear when it's not needed, and yeah, it seemed like a hassle
>>> and it took a few days or more.
>>>
>>> On Mon, Mar 30, 2020 at 4:40 PM UC Penguin <gentoo at ucpenguin.com> wrote:
>>>
>>> Namecheap cert process is a PITA. Haven’t used them for UC servers but
>>> helped a friend with their website after they already bought them from NC.
>>>
>>> You can only have it verify ownership with certain predefined by them
>>> emails at your domain, or dns/web.
>>>
>>> Namecheap is a good domain registrar but I’d personally steer clear of
>>> their other services.
>>>
>>> On Mar 30, 2020, at 14:57, Brian Meade <bmeade90 at vt.edu> wrote:
>>>
>>> 
>>> Namecheap seems to be the cheapest option I've found from some quick
>>> looking.  They seem to resell Comodo certificates but cheaper than Comodo
>>> offers them.
>>>
>>> On Mon, Mar 30, 2020 at 2:45 PM Jonatan Quezada <
>>> jonatan.quezada at chemeketa.edu> wrote:
>>>
>>> Im totally looking to update all of mine I think we use digi-cert,
>>> pleasea let us know what you find out :)
>>> Cheers!
>>>
>>> On Mon, Mar 30, 2020 at 11:43 AM Brian Meade <bmeade90 at vt.edu> wrote:
>>>
>>> Does anyone know of any public certificate authorities that have cheaper
>>> multi-server SAN certificate options?  I had seen some in the past that let
>>> you buy a wildcard and then can submit CSR's against that still but having
>>> trouble finding that now.
>>>
>>> Trying to avoid buying 4 multi-server certificates to cover CUCM
>>> Tomcat/Unity Connection Tomcat/UCCX Tomcat/IM&P XMPP.
>>> _______________________________________________
>>> cisco-voip mailing list
>>> cisco-voip at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>> <https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-voip&data=01%7C01%7Cmturpin%40covene.com%7C58b306e13bf84d8d65de08d7d51fd22a%7C575b0cc755204e999cb37affbf511f45%7C1&sdata=31dWW3cRzojiu8GNDZSHJbkachrakSZSm9SIDE2cljo%3D&reserved=0>
>>>
>>>
>>>
>>> --
>>> During this time of remote work, There will be the need for connectivity
>>> to other devices such as a cell phone. If you require assistance forwarding
>>> your desk phone to a remote cell or message phone, please email with desk
>>> number and where we are forwarding calls. I can do these remotely.
>>>
>>> Johnny Q
>>> Voice Technology Analyst II
>>> Chemeketa Community College
>>> Johnny.Q at chemeketa.edu
>>> Building 22 Room 130
>>> Work 5033995294
>>> Cell 5035769873
>>> FAX 5033995549
>>>
>>> _______________________________________________
>>> cisco-voip mailing list
>>> cisco-voip at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>> <https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-voip&data=01%7C01%7Cmturpin%40covene.com%7C58b306e13bf84d8d65de08d7d51fd22a%7C575b0cc755204e999cb37affbf511f45%7C1&sdata=31dWW3cRzojiu8GNDZSHJbkachrakSZSm9SIDE2cljo%3D&reserved=0>
>>>
>>> _______________________________________________
>>> cisco-voip mailing list
>>> cisco-voip at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>> <https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-voip&data=01%7C01%7Cmturpin%40covene.com%7C58b306e13bf84d8d65de08d7d51fd22a%7C575b0cc755204e999cb37affbf511f45%7C1&sdata=31dWW3cRzojiu8GNDZSHJbkachrakSZSm9SIDE2cljo%3D&reserved=0>
>>>
>>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
-- 

--
Hunter Fuller (they)
Router Jockey
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20200405/732deb96/attachment.htm>

More information about the cisco-voip mailing list