[cisco-voip] [EXTERNAL] Re: Cost-Effective Public Certificate Authority for CUCM certificates

Brian Meade bmeade90 at vt.edu
Mon Feb 21 16:09:12 EST 2022


We've been flipping a lot of customers over to NameCheap now.  $50/year for
multi-SAN DV certificates is pretty hard to beat.  For
CUCM/Unity/IM&P/UCCX/Expressway, ends up more like $250-$300/year.

They seem to issue certs pretty immediately since it's just Domain
Verification using email.

On Fri, Feb 18, 2022 at 1:17 PM Nick Russo via cisco-voip <
cisco-voip at puck.nether.net> wrote:

> Unfortunately, Cisco doesn't allow for * certs with the UC platform.  If
> this is for Jabber MRA, they recently added support for ACME certificates,
> but I haven't used that.  The cheapest CA signed certs I've been able to
> find is ssls.com and the full set of certs for a typical cluster is going
> to set you back about $900 a year.  They have a couple of Collaboration
> packages that you can use for the multiple domains.  Also, they work well
> enough, but the support for ssls.com is pretty weak, so plan on at least
> a week to get your certs ordered, approved, and installed.
>
> On Friday, February 18, 2022, 09:39:50 AM PST, Lelio Fulgenzi <
> lelio at uoguelph.ca> wrote:
>
>
> We use Entrust. But I think we had some sort of "Contract" that allowed
> for a specific number of certs to be issued, all on the credit system.
> Regardless of SANs.
>
> But, you're right. Cisco collab is an expensive solution to provide certs
> for.
>
> I'm really hoping that https://www.incommon.org/certificates/subscribe/ opens
> up to EDUs outside of the U.S. some time (soon).
>
> -----Original Message-----
> From: cisco-voip <cisco-voip-bounces at puck.nether.net> On Behalf Of James
> Andrewartha
> Sent: Friday, February 18, 2022 4:28 AM
> To: cisco-voip at puck.nether.net
> Subject: Re: [cisco-voip] [EXTERNAL] Re: Cost-Effective Public Certificate
> Authority for CUCM certificates
>
> CAUTION: This email originated from outside of the University of Guelph.
> Do not click links or open attachments unless you recognize the sender and
> know the content is safe. If in doubt, forward suspicious emails to
> IThelp at uoguelph.ca
>
>
> Digicert have killed the fact you could issue a cert for
> host.sub.example.com on your *.example.com wildcard, instead they want to
> charge you extra for those hosts so now I'm shopping around. The good news
> is there's now other places that will do wildcards with unlimited reissues
> (which most call "unlimited server licenses").
>
> I tried Comodo/Sectigo Positive Multi Domain Wildcard SSL which can even
> have multiple wildcards on the one certificate, but it only accepts CSRs
> for *.example.com, which UCM/UC/IM&P won't generate. But perhaps that's a
> limitation of the reseller I used. They also have the Comodo/Sectigo Multi
> Domain SSL Certificate (FLEX) which lets you have host SANs, but will
> charge you for each one.
>
> Anyone had success with any other CAs recently?
>
> --
> James Andrewartha
> Network & Projects Engineer
> Christ Church Grammar School
> Claremont, Western Australia
> Ph. (08) 9442 1757
> Mob. 0424 160 877
>
> On 31/3/20 04:49, Brian Meade wrote:
> > In this case, we're doing public certificates internally as well for
> > CUCM Tomcat, Unity Connection Tomcat, UCCX Tomcat, and IM&P CUP-XMPP.
> >
> > Adding the multiple presence domains is pretty easy on the IM&P side
> > and it will automatically add SAN's for those domains in the CSR.
> >
> > Expressway-E will also automatically add all domains to the CSR.
> >
> > On Mon, Mar 30, 2020 at 4:07 PM Jonatan Quezada
> > <jonatan.quezada at chemeketa.edu <mailto:jonatan.quezada at chemeketa.edu>>
> > wrote:
> >
> >    Brian, How challenging was it to do the jabber on all three domains?
> >
> >    Where do you need the multiDomain cert, on the VCS-edge connector
> >    right? Im looking to see what it would take to get this going for
> >    our remote workers even though it seems
> >    like there are few things to make sure are in place first.
> >
> >    for so far its the :
> >
> >    certs for dual domain- how
> >    provision jabber users
> >
> >
> >    On Mon, Mar 30, 2020 at 12:28 PM Brian Meade <bmeade90 at vt.edu
> >    <mailto:bmeade90 at vt.edu>> wrote:
> >
> >        I was originally going to go with that wildcard option but this
> >        customer has 3 different presence domains to match their email
> >        domains which makes the CUP-XMPP cert more complicated.
> >
> >        This is my personal email so no access to InCommon certificates
> >        unfortunately.
> >
> >        On Mon, Mar 30, 2020 at 2:59 PM Matthew Ballard
> >        <mballard at otis.edu <mailto:mballard at otis.edu>> wrote:
> >
> >            We used to use DigiCert Wildcard which offers that (where
> >            you can issue multiple certificates with different private
> >            keys from the same wildcard cert/purchase).____
> >
> >            __ __
> >
> >            We switched to using InCommon certificates, which it looks
> >            like your University also subscribes to.  You should be able
> >            to get them internally from whomever licensed that there, as
> >            it’s a flat fee service for unlimited certificates.____
> >
> >            __ __
> >
> >            Matthew Ballard____
> >
> >            Director of Technology Infrastructure____
> >
> >            Information Systems____
> >
> >            Otis College of Art and Design____
> >
> >            mballard at otis.edu <mailto:mballard at otis.edu>____
> >
> >            __ __
> >
> >            __ __
> >
> >            __ __
> >
> >            *From:*cisco-voip <cisco-voip-bounces at puck.nether.net
> >            <mailto:cisco-voip-bounces at puck.nether.net>> *On Behalf Of
> >            *Brian Meade
> >            *Sent:* Monday, March 30, 2020 11:42 AM
> >            *To:* cisco-voip voyp list <cisco-voip at puck.nether.net
> >            <mailto:cisco-voip at puck.nether.net>>
> >            *Subject:* [cisco-voip] Cost-Effective Public Certificate
> >            Authority for CUCM certificates____
> >
> >            __ __
> >
> >            Does anyone know of any public certificate authorities that
> >            have cheaper multi-server SAN certificate options?  I had
> >            seen some in the past that let you buy a wildcard and then
> >            can submit CSR's against that still but having trouble
> >            finding that now.____
> >
> >            __ __
> >
> >            Trying to avoid buying 4 multi-server certificates to cover
> >            CUCM Tomcat/Unity Connection Tomcat/UCCX Tomcat/IM&P
> > XMPP.____
> >
> >        _______________________________________________
> >        cisco-voip mailing list
> >        cisco-voip at puck.nether.net <mailto:cisco-voip at puck.nether.net>
> >        https://puck.nether.net/mailman/listinfo/cisco-voip
> >        <https://puck.nether.net/mailman/listinfo/cisco-voip>
> >
> >
> >
> >    --
> >    During this time of remote work, There will be the need for
> >    connectivity to other devices such as a cell phone. If you require
> >    assistance forwarding your desk phone to a remote cell or message
> >    phone, please email with desk number and where we are forwarding
> >    calls. I can do these remotely.
> >
> >    Johnny Q
> >    Voice Technology Analyst II
> >    Chemeketa Community College
> >    Johnny.Q at chemeketa.edu <mailto:Johnny.Q at chemeketa.edu>
> >    Building 22 Room 130
> >    Work 5033995294
> >    Cell 5035769873
> >    FAX 5033995549
>
> >
> >
> > _______________________________________________
> > cisco-voip mailing list
> > cisco-voip at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-voip
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20220221/b17eec24/attachment.htm>


More information about the cisco-voip mailing list