<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"MS Shell Dlg 2";
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:997423367;
mso-list-type:hybrid;
mso-list-template-ids:-1299279338 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:"MS Shell Dlg 2"">Traditionally, you put the public Certificate on the Expressway-E.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:"MS Shell Dlg 2""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:"MS Shell Dlg 2"">This would traditionally contain SANs such as:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:"MS Shell Dlg 2"">DNS:Expe.domain.com<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:"MS Shell Dlg 2"">DNS:domain.com<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:"MS Shell Dlg 2"">DNS: conference-2-CUPSCluster1.domain.com<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:"MS Shell Dlg 2""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:"MS Shell Dlg 2"">If you are doing security you would have the secure profile names in there, and I believe persistent chat has some implications too.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:"MS Shell Dlg 2""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:"MS Shell Dlg 2"">On the expressway-C you would have certificates signed by your enterprise CA. Expressway-C and Expressway-E must be able to chain each other’s certificates so that the SIP/TLS can
be established on the Unified Communication zone – aka trust chains must loaded.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:"MS Shell Dlg 2""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:"MS Shell Dlg 2"">Enterprise certificates are traditionally installed on your internal servers such as tomcat, etc. If using MultiSAN you must be on 10.5(2)SU2, because prior versions had a bug where
the phones would reset every 7 minutes. <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:"MS Shell Dlg 2""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:"MS Shell Dlg 2"">For your internal certificates when possible I have the following SANs inserted (depending on competency and give a crap factor of the security team:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:"MS Shell Dlg 2"">DNS:<Hostname><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:"MS Shell Dlg 2"">DNS:<FQDN><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:"MS Shell Dlg 2"">DNS:<IP-Address><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:"MS Shell Dlg 2"">IP:<IP-Address><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:"MS Shell Dlg 2""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:"MS Shell Dlg 2"">Remember that from a certificate warning perspective, the service such as CUPS presents the client certificate and it is up to the operating system to before the validation. All
devices internally will need to trust your enterprise CA. If you have mobile devices registering internally, they will need to have the Enterprise CA installed. If you don’t have a BYOD/MDM solution, it may be easier to bite the bullet and get public certificates
for your entire UC enterprise if that is important to you.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:"MS Shell Dlg 2""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:"MS Shell Dlg 2"">A couple of notes when generating your Certificates off your enterprise CA:<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="font-size:8.5pt;font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:8.5pt;font-family:"MS Shell Dlg 2"">Make sure the certificate template you are using is set for Client AND Server Authentication<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="font-size:8.5pt;font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:8.5pt;font-family:"MS Shell Dlg 2"">Make sure you are published certificate revocation lists (CRL/OCSP/AIA), that is accessible to all of your clients.. wherever they are. If you are using a Windows CA,
by default it just published into LDAP/AD. This is a problem when clients are external, or not joined to the domain. The solution is to publisher to a directory on your CA and share that location via HTTP/HTTPS.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:"MS Shell Dlg 2""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:"MS Shell Dlg 2"">Hope this helps<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal" style="text-autospace:none"><b><span style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:black">Dennis Heim | Emerging Technology Architect (Collaboration)</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:black">World Wide Technology, Inc. | +1 314-212-1814<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><a href="https://twitter.com/CollabSensei"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:blue;text-decoration:none"><img border="0" width="124" height="25" id="Picture_x0020_1" src="cid:image001.png@01D062E5.4A13D170" alt="twitter"></span></a><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><a href="xmpp:dennis.heim@wwt.com"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;text-decoration:none"><img border="0" width="95" height="28" id="Picture_x0020_2" src="cid:image002.png@01D062E5.4A13D170" alt="chat"></span></a><a href="tel:+13142121814"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;text-decoration:none"><img border="0" width="95" height="28" id="Picture_x0020_3" src="cid:image003.png@01D062E5.4A13D170" alt="Phone"></span></a><a href="sip:dennis.heim@wwt.com"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;text-decoration:none"><img border="0" width="95" height="28" id="Picture_x0020_4" src="cid:image004.png@01D062E5.4A13D170" alt="video"></span></a><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:8.0pt;font-family:"Calibri",sans-serif;color:#1F497D">"Innovation happens on project squared" --
<a href="http://www.projectsquared.com/"><span style="color:#0563C1">http://www.projectsquared.com</span></a><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:8.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><u><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:blue"><a href="https://wwt.webex.com/meet/dennis.heim"><span style="color:#0563C1">Click here to join me in my Collaboration Meeting Room</span></a></span></u><u><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#0563C1"><o:p></o:p></span></u></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:8.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> cisco-voip [mailto:cisco-voip-bounces@puck.nether.net]
<b>On Behalf Of </b>Rajkumar Yadav<br>
<b>Sent:</b> Friday, March 20, 2015 4:58 AM<br>
<b>To:</b> cisco-voip@puck.nether.net<br>
<b>Subject:</b> [cisco-voip] Expressway certificate advice required.<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div id="yui_3_16_0_1_1426835577685_24961">
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">Hi,<o:p></o:p></span></p>
</div>
<div id="yui_3_16_0_1_1426835577685_24960">
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div id="yui_3_16_0_1_1426835577685_24959">
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">Need few clarification for the Expressway MRA and certificate.<o:p></o:p></span></p>
</div>
<div id="yui_3_16_0_1_1426835577685_24828">
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div id="yui_3_16_0_1_1426835577685_24839">
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">we have bought Multi san certificate from Go Daddy for UC applications.<o:p></o:p></span></p>
</div>
<div id="yui_3_16_0_1_1426835577685_24840">
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div id="yui_3_16_0_1_1426835577685_24841">
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">Step 1:<o:p></o:p></span></p>
</div>
<div id="yui_3_16_0_1_1426835577685_24842">
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div id="yui_3_16_0_1_1426835577685_24843">
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">If the certificate management part is done on the CUCM publisher for Tomcat with Multi San capabilities it would include the FQDN of
all CUCM ( Pub & Sub), CUC, Im & Presence and domain.com.<o:p></o:p></span></p>
</div>
<div id="yui_3_16_0_1_1426835577685_24843">
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">Also i have to repeat the step for the Im & Presence server with Cup XMPP.<o:p></o:p></span></p>
</div>
<div id="yui_3_16_0_1_1426835577685_24843">
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div id="yui_3_16_0_1_1426835577685_24843">
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">Step2:<o:p></o:p></span></p>
</div>
<div id="yui_3_16_0_1_1426835577685_24843">
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div id="yui_3_16_0_1_1426835577685_24843">
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">Now if I'm doing the expressway (MRA) certificate management for traversal zone with Multi San capabilities, then will it include all
the above FQDN and is it i don't have to perform step 1.<o:p></o:p></span></p>
</div>
<div id="yui_3_16_0_1_1426835577685_24843">
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div id="yui_3_16_0_1_1426835577685_24843">
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">If i don't perform step 1, will it Jabber clients will not throw error for certificate acceptance (both inside and outside).<o:p></o:p></span></p>
</div>
<div id="yui_3_16_0_1_1426835577685_24843">
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div id="yui_3_16_0_1_1426835577685_24843">
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">Please confirm is it both need to be done or just step 2 is enough ?<o:p></o:p></span></p>
</div>
<div id="yui_3_16_0_1_1426835577685_24843">
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div id="yui_3_16_0_1_1426835577685_24843">
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div id="yui_3_16_0_1_1426835577685_24843">
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">Regards,<o:p></o:p></span></p>
</div>
<div id="yui_3_16_0_1_1426835577685_24843">
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">Raaj.<o:p></o:p></span></p>
</div>
</div>
</div>
</body>
</html>