[cisco-voip] Renewing Expressway E Cert

Lelio Fulgenzi lelio at uoguelph.ca
Sat Apr 18 00:13:41 EDT 2020 

The one year cert  ones into play later this year and only for certs issues after a certain date, October I think.

I’d go with two year certs if I was doing now. Which we will be soon.

Heck, I’d be renewing certs before their expiry date as much as possible to buy another year.

I’m hoping a SP for v11.5 comes out that supports let’s encrypt. But I doubt it.

Sent from my iPhone

On Apr 17, 2020, at 7:04 PM, Charles Goldsmith <w at woka.us> wrote:


Very true on the service interruption, but how about jabber, new certs on it require the XMPP services to restart.  And true, a satellite server could alleviate it all, but you are talking major changes for the CUCM team, and then the CUC team, etc.

I'd love for it to happen, but we have some hurdles, and I'm sure this has been discussed amongst the developers and the BUs.

With Apple changing and advising certs for 1 year, I had a bigger customer just tell me that they are adopting 1 year certs as the standard.  I'm about to renew their entire cluster of 18 nodes (across all of the apps) for their certs, and they will be 1 year certs.

For a 24/7 operation, that's a pain, but, more work for us I guess.


On Fri, Apr 17, 2020 at 5:36 PM Anthony Holloway <avholloway+cisco-voip at gmail.com<mailto:avholloway%2Bcisco-voip at gmail.com>> wrote:
You Charles, with smart licensing being a catalyst for internet access for your apps, and the way the port 80 thing for ACME actually works, it's certainly possible, and I could see it gaining adoption with SMB....maybe not the fortune 500 though.  But then again, they can just spend the money on public certs.

And also, you mentioned the challenge of updating certs every 90 days and the service restarts, however, with the way Expressway implemented it, the renewals are automatic and there is no service interruption at all.

On Fri, Apr 17, 2020 at 4:50 PM Charles Goldsmith <w at woka.us<mailto:w at woka.us>> wrote:
Early on with MRA, back in the CUCM 9.1 days, a mobile user coming in across MRA got cert alerts if you didn't have signed certs on all of the applications (CUCM, IM&P, Unity Connection).  There was/is no easy way to push an internal CA cert to those devices.

That's the whole reason we push for 3rd party everywhere, so that the C level folks on their smart phones didn't get an alert.

I'd really like to see let's encrypt enabled on all of the apps, but that is challenging, updating certs every 90 days, restarting services, etc.  Plus, the whole thing of the Acme process needing to be available into the application to validate.

On Fri, Apr 17, 2020 at 4:27 PM Anthony Holloway <avholloway+cisco-voip at gmail.com<mailto:avholloway%2Bcisco-voip at gmail.com>> wrote:
Well, that depends.  And let me just ask, why did they do it this way?  If it was even a self-signed cert, we could atleast import it to E, but it's not even that. It's some invalid bogus cert in there.  Why?

I have seen the following:

1. publicly sign it (name cheap has dirt cheap certs)
2. get a private ca installed because just like you need a network, a server, licensing, phones, an internet connection, etc.  it's apart of the solution
3. sign it yourself with any ca you want to include the one running on your home computer, and just don't tell anyone what you did because you setup it for
 34 years and it wont matter by then anyway (ok, just kidding here...or am I?)

On Fri, Apr 17, 2020 at 3:55 PM Bill Talley <btalley at gmail.com<mailto:btalley at gmail.com>> wrote:
Great info Anthony, thanks.

Question, what do you do for Expressway Core if you don’t have an internal CA to sign the EXPC (meaning no internal root cert to upload to EXPE to establish the traversal zone trust)?

Sent from an iPhone mobile device with very tiny touchscreen input keys.  Please excude my typtos.

On Apr 17, 2020, at 3:25 PM, Anthony Holloway <avholloway+cisco-voip at gmail.com<mailto:avholloway%2Bcisco-voip at gmail.com>> wrote:


This might be an unpopular opinion, but I think using the free certs provided by let's encrypt, coupled with it being automatic from now on, it's just an unbeatable combination.

Here are my cliff notes:

Reference Document:
https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/expressway/config_guide/X12-5/exwy_b_certificate-creation-use-deployment-guide/exwy_b_certificate-creation-use-deployment-guide_chapter_0100.html

High Level Steps:

  1.  Expressway 12.5.7 to avoid ACMEv1 vs ACMEv2 registration issues (https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr82346)
  2.  For your Unified CM registrations domains don’t use parent domain only (E.g., company.com<http://company.com>), switch to CollabEdgeDNS format instead (E.g., collab-edge.company.com<http://collab-edge.company.com>), because you’ll need that in the next step
  3.  DNS A records for the Expressway-E FQDN and the CM registration domains
  4.  Upload the root and intermediates for Let’s Encrypt (needed on both Expressway-E and Expressway-C) (certs are linked in documentation)
  5.  Enable the ACME client on Expressway-E and supply any email address you want to link to this registration (This creates your account with Let’s Encrypt)
  6.  Generate a new CSR (Server Certificate Only, Domain Cert Was Not Needed)
  7.  Click button to Submit CSR to ACME
  8.  Click button to Deploy New Certificate on Expressway-E (documentation states this is non-service impacting)
  9.  Setup the automatic scheduler so you never have to deal with this again
  10. Sit back, relax and enjoy free shit



On Fri, Apr 17, 2020 at 1:43 PM Riley, Sean <SRiley at robinsonbradshaw.com<mailto:SRiley at robinsonbradshaw.com>> wrote:
We had our Cisco partner setup our Expressways a couple of years ago.  It is a cluster with 2 E’s and 2 C’s currently at v 12.5.7 using for MRA.  I have been managing them, installing updates, troubleshooting etc.  The public Edge cert is up for renewal.  Can anyone provide advice on renewing this cert?  I am planning on just renewing with the same cert provider, but was interested in if there is anything to watch out for.  Example, will there be a service interruption when replacing the cert?  Or just install the new cert/pk and rest easy?

Thanks in advance.

Sean.
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20200418/0c13aefc/attachment.htm>

More information about the cisco-voip mailing list