[cisco-voip] [External] Re: certificate renewals - 1 year only - due to Apple changes

Sun Mar 8 13:36:43 EDT 2020

Not that I have seen, but you could just pre-API the shit out of it with
Python + Paramiko because the CLI has all the cert functions built-in.

On Wed, Mar 4, 2020 at 12:58 PM Hunter Fuller <hf0002 at uah.edu> wrote:

> Is it possible to install a cert via API? If that works, we can do this
> from an admin machine, whether or not the Cisco service (for instance CUCM)
> supports it.
>
> --
> Hunter Fuller
> Router Jockey
> VBH Annex B-5
> +1 256 824 5331
>
> Office of Information Technology
> The University of Alabama in Huntsville
> Network Engineering
>
>
> On Wed, Mar 4, 2020 at 12:46 PM Lelio Fulgenzi <lelio at uoguelph.ca> wrote:
>
>> Unfortunately, I can’t justify a telephone system upgrade for the sake of
>> auto-renewal of certificates. ☹
>>
>>
>>
>> CUCM v11.5 has yet to be announced EOL. (Please Please Please don’t
>> happen tomorrow).
>>
>>
>>
>> This means we’ve got at least 5 more years to plan accordingly.
>>
>>
>>
>> Will they issue an SU to support let’s encrypt? Let’s hope so!
>>
>>
>>
>>
>>
>> *From:* Norton, Mike <mikenorton at pwsd76.ab.ca>
>> *Sent:* Wednesday, March 4, 2020 1:38 PM
>> *To:* Lelio Fulgenzi <lelio at uoguelph.ca>; voyp list, cisco-voip (
>> cisco-voip at puck.nether.net) <cisco-voip at puck.nether.net>
>> *Subject:* RE: certificate renewals - 1 year only - due to Apple changes
>>
>>
>>
>> If two years from now, a product that needs public certificates still
>> doesn’t support automated renewals, then it’s a terrible product you should
>> have migrated away from two years earlier. The writing has been on the wall
>> for a long time. But even for developers who’ve had their heads in sand,
>> two years is still plenty of time for them to get a clue. ;-)
>>
>> -mn
>>
>>
>>
>> *From:* cisco-voip <cisco-voip-bounces at puck.nether.net> *On Behalf Of *Lelio
>> Fulgenzi
>> *Sent:* March 4, 2020 10:52 AM
>> *To:* voyp list, cisco-voip (cisco-voip at puck.nether.net) <
>> cisco-voip at puck.nether.net>
>> *Subject:* [cisco-voip] certificate renewals - 1 year only - due to
>> Apple changes
>>
>>
>>
>>
>>
>> So, we’ve gotten word that Apple is thinking of “accepting/trusting” only
>> certs that are 13 months old or less.
>>
>>
>>
>> https://www.theregister.co.uk/2020/02/20/apple_shorter_cert_lifetime/
>>
>>
>>
>> This is a bit of a drag on Jabber deployments due to so many certs being
>> needed.
>>
>>
>>
>> From what I’ve seen, only Expressway supports auto-renew like let’s
>> encrypt.
>>
>>
>>
>> From the article, it seems:
>>
>>
>>
>> "Certificates issued prior to September 1 will have the same acceptable
>> duration as certificates do today, which is 825 days. No action is required
>> for these certificates."
>>
>>
>>
>> I’m guessing it if says Safari, it’s any cert used by an apple device,
>> since the safari engine is used throughout, right?
>>
>>
>>
>> We’re planning on renewing soon, so we should be good to go with 2 years.
>>
>>
>>
>> But the future?
>>
>>
>>
>> What are others planning on doing?
>>
>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20200308/bc3a820e/attachment.htm>