[cisco-voip] Renewing Expressway E Cert

Anthony Holloway avholloway+cisco-voip at gmail.com
Fri Apr 17 16:23:16 EDT 2020 

This might be an unpopular opinion, but I think using the free certs
provided by let's encrypt, coupled with it being automatic from now on,
it's just an unbeatable combination.

Here are my cliff notes:

Reference Document:

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/expressway/config_guide/X12-5/exwy_b_certificate-creation-use-deployment-guide/exwy_b_certificate-creation-use-deployment-guide_chapter_0100.html



High Level Steps:

   1. Expressway 12.5.7 to avoid ACMEv1 vs ACMEv2 registration issues (
   https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr82346)
   2. For your Unified CM registrations domains don’t use parent domain
   only (E.g., company.com), switch to CollabEdgeDNS format instead (E.g.,
   collab-edge.company.com), because you’ll need that in the next step
   3. DNS A records for the Expressway-E FQDN and the CM registration
   domains
   4. Upload the root and intermediates for Let’s Encrypt (needed on both
   Expressway-E and Expressway-C) (certs are linked in documentation)
   5. Enable the ACME client on Expressway-E and supply any email address
   you want to link to this registration (This creates your account with Let’s
   Encrypt)
   6. Generate a new CSR (Server Certificate Only, Domain Cert Was Not
   Needed)
   7. Click button to Submit CSR to ACME
   8. Click button to Deploy New Certificate on Expressway-E (documentation
   states this is non-service impacting)
   9. Setup the automatic scheduler so you never have to deal with this
   again
   10. Sit back, relax and enjoy free shit




On Fri, Apr 17, 2020 at 1:43 PM Riley, Sean <SRiley at robinsonbradshaw.com>
wrote:

> We had our Cisco partner setup our Expressways a couple of years ago.  It
> is a cluster with 2 E’s and 2 C’s currently at v 12.5.7 using for MRA.  I
> have been managing them, installing updates, troubleshooting etc.  The
> public Edge cert is up for renewal.  Can anyone provide advice on renewing
> this cert?  I am planning on just renewing with the same cert provider, but
> was interested in if there is anything to watch out for.  Example, will
> there be a service interruption when replacing the cert?  Or just install
> the new cert/pk and rest easy?
>
>
>
> Thanks in advance.
>
>
>
> Sean.
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20200417/f92e3ce7/attachment.htm>

More information about the cisco-voip mailing list