<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, Sans-Serif;font-size:13px"><div dir="ltr" id="yui_3_16_0_1_1427126818258_15753"><span>Thanks Dennis,</span></div><div dir="ltr" id="yui_3_16_0_1_1427126818258_15754"><span><br></span></div><div dir="ltr" id="yui_3_16_0_1_1427126818258_12348"><span id="yui_3_16_0_1_1427126818258_12347">Appreciate your detail explanation.</span></div><div dir="ltr" id="yui_3_16_0_1_1427126818258_12348"><span><br></span></div><div dir="ltr" id="yui_3_16_0_1_1427126818258_12348"><span id="yui_3_16_0_1_1427126818258_15755">So you mean i should perform both steps i.e on expressway C and E for traversal zone communication & on Internal server for tomcat and xmpp too.</span></div><div dir="ltr" id="yui_3_16_0_1_1427126818258_12348"><span><br></span></div><div dir="ltr" id="yui_3_16_0_1_1427126818258_12348"><span id="yui_3_16_0_1_1427126818258_12755">My CUCM version is 10.5.2.10000-5 for multi san support.</span></div><div dir="ltr" id="yui_3_16_0_1_1427126818258_12348"><span><br></span></div><div dir="ltr" id="yui_3_16_0_1_1427126818258_12348"><span id="yui_3_16_0_1_1427126818258_12760">Also there were few comments that godaddy certificate not compatible with UC application.</span></div><div dir="ltr" id="yui_3_16_0_1_1427126818258_12348"><span><br></span></div><div dir="ltr" id="yui_3_16_0_1_1427126818258_12348">So the CN must be "cucm01.domain.com" only  when public CA sends the output for the CSR.</div><div id="yui_3_16_0_1_1427126818258_16009"><br></div><div dir="ltr"><br></div><div dir="ltr" id="yui_3_16_0_1_1427126818258_16010">Regards,</div><div dir="ltr" id="yui_3_16_0_1_1427126818258_16011">Raaj.</div>  <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, Sans-Serif; font-size: 13px;" id="yui_3_16_0_1_1427126818258_12346"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, Sans-Serif; font-size: 16px;" id="yui_3_16_0_1_1427126818258_12345"> <div dir="ltr" id="yui_3_16_0_1_1427126818258_12344"> <hr size="1">  <font size="2" face="Arial" id="yui_3_16_0_1_1427126818258_12761"> <b><span style="font-weight:bold;">From:</span></b> "Heim, Dennis" <Dennis.Heim@wwt.com><br> <b><span style="font-weight: bold;">To:</span></b> Rajkumar Yadav <rajkumaryadav@y7mail.com>; "cisco-voip@puck.nether.net" <cisco-voip@puck.nether.net> <br> <b><span style="font-weight: bold;">Sent:</span></b> Friday, 20 March 2015, 16:23<br> <b><span style="font-weight: bold;">Subject:</span></b> RE: [cisco-voip] Expressway certificate advice required.<br> </font> </div> <div class="y_msg_container" id="yui_3_16_0_1_1427126818258_12352"><br><div id="yiv0374023700"><style>#yiv0374023700 #yiv0374023700 --
 
 _filtered #yiv0374023700 {font-family:Helvetica;panose-1:2 11 6 4 2 2 2 2 2 4;}
 _filtered #yiv0374023700 {font-family:Wingdings;panose-1:5 0 0 0 0 0 0 0 0 0;}
 _filtered #yiv0374023700 {panose-1:2 4 5 3 5 4 6 3 2 4;}
 _filtered #yiv0374023700 {font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;}
 _filtered #yiv0374023700 {panose-1:0 0 0 0 0 0 0 0 0 0;}
#yiv0374023700  
#yiv0374023700 p.yiv0374023700MsoNormal, #yiv0374023700 li.yiv0374023700MsoNormal, #yiv0374023700 div.yiv0374023700MsoNormal
        {margin:0in;margin-bottom:.0001pt;font-size:12.0pt;}
#yiv0374023700 a:link, #yiv0374023700 span.yiv0374023700MsoHyperlink
        {color:#0563C1;text-decoration:underline;}
#yiv0374023700 a:visited, #yiv0374023700 span.yiv0374023700MsoHyperlinkFollowed
        {color:#954F72;text-decoration:underline;}
#yiv0374023700 p.yiv0374023700MsoListParagraph, #yiv0374023700 li.yiv0374023700MsoListParagraph, #yiv0374023700 div.yiv0374023700MsoListParagraph
        {margin-top:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;font-size:12.0pt;}
#yiv0374023700 span.yiv0374023700EmailStyle17
        {color:#1F497D;}
#yiv0374023700 .yiv0374023700MsoChpDefault
        {font-size:10.0pt;}
 _filtered #yiv0374023700 {margin:1.0in 1.0in 1.0in 1.0in;}
#yiv0374023700 div.yiv0374023700WordSection1
        {}
#yiv0374023700  
 _filtered #yiv0374023700 {}
 _filtered #yiv0374023700 {font-family:Symbol;}
 _filtered #yiv0374023700 {}
 _filtered #yiv0374023700 {font-family:Wingdings;}
 _filtered #yiv0374023700 {font-family:Symbol;}
 _filtered #yiv0374023700 {}
 _filtered #yiv0374023700 {font-family:Wingdings;}
 _filtered #yiv0374023700 {font-family:Symbol;}
 _filtered #yiv0374023700 {}
 _filtered #yiv0374023700 {font-family:Wingdings;}
#yiv0374023700 ol
        {margin-bottom:0in;}
#yiv0374023700 ul
        {margin-bottom:0in;}
#yiv0374023700 </style><div id="yui_3_16_0_1_1427126818258_12351">
<div class="yiv0374023700WordSection1" id="yui_3_16_0_1_1427126818258_12350">
<div class="yiv0374023700MsoNormal" id="yui_3_16_0_1_1427126818258_15805"><span style="font-size:8.5pt;" id="yui_3_16_0_1_1427126818258_15804">Traditionally, you put the public Certificate on the Expressway-E.</span></div> 
<div class="yiv0374023700MsoNormal" id="yui_3_16_0_1_1427126818258_12779"><span style="font-size:8.5pt;">  </span></div> 
<div class="yiv0374023700MsoNormal" id="yui_3_16_0_1_1427126818258_12763"><span style="font-size:8.5pt;" id="yui_3_16_0_1_1427126818258_12762">This would traditionally contain SANs such as:</span></div> 
<div class="yiv0374023700MsoNormal" id="yui_3_16_0_1_1427126818258_12356"><span style="font-size:8.5pt;">DNS:Expe.domain.com</span></div> 
<div class="yiv0374023700MsoNormal" id="yui_3_16_0_1_1427126818258_12765"><span style="font-size:8.5pt;" id="yui_3_16_0_1_1427126818258_12764">DNS:domain.com</span></div> 
<div class="yiv0374023700MsoNormal" id="yui_3_16_0_1_1427126818258_15806"><span style="font-size:8.5pt;">DNS: conference-2-CUPSCluster1.domain.com</span></div> 
<div class="yiv0374023700MsoNormal" id="yui_3_16_0_1_1427126818258_12766"><span style="font-size:8.5pt;">  </span></div> 
<div class="yiv0374023700MsoNormal"><span style="font-size:8.5pt;">If you are doing security you would have the secure profile names in there, and I believe persistent chat has some implications too.
</span></div> 
<div class="yiv0374023700MsoNormal" id="yui_3_16_0_1_1427126818258_12355"><span style="font-size:8.5pt;">  </span></div> 
<div class="yiv0374023700MsoNormal"><span style="font-size:8.5pt;">On the expressway-C you would have certificates signed by your enterprise CA. Expressway-C and Expressway-E must be able to chain each other’s certificates so that the SIP/TLS can
 be established on the Unified Communication zone – aka trust chains must loaded.</span></div> 
<div class="yiv0374023700MsoNormal"><span style="font-size:8.5pt;">  </span></div> 
<div class="yiv0374023700MsoNormal" id="yui_3_16_0_1_1427126818258_12354"><span style="font-size:8.5pt;">Enterprise certificates are traditionally installed on your internal servers such as tomcat, etc. If using MultiSAN you must be on 10.5(2)SU2, because prior versions had a bug where
 the phones would reset every 7 minutes. </span></div> 
<div class="yiv0374023700MsoNormal"><span style="font-size:8.5pt;">  </span></div> 
<div class="yiv0374023700MsoNormal"><span style="font-size:8.5pt;">For your internal certificates when possible I have the following SANs inserted (depending on competency and give a crap factor of the security team:</span></div> 
<div class="yiv0374023700MsoNormal"><span style="font-size:8.5pt;">DNS:<Hostname></span></div> 
<div class="yiv0374023700MsoNormal"><span style="font-size:8.5pt;">DNS:<FQDN></span></div> 
<div class="yiv0374023700MsoNormal" id="yui_3_16_0_1_1427126818258_12353"><span style="font-size:8.5pt;">DNS:<IP-Address></span></div> 
<div class="yiv0374023700MsoNormal"><span style="font-size:8.5pt;">IP:<IP-Address></span></div> 
<div class="yiv0374023700MsoNormal"><span style="font-size:8.5pt;">  </span></div> 
<div class="yiv0374023700MsoNormal" id="yui_3_16_0_1_1427126818258_12349"><span style="font-size:8.5pt;">Remember that from a certificate warning perspective, the service such as CUPS presents the client certificate and it is up to the operating system to before the validation. All
 devices internally will need to trust your enterprise CA. If you have mobile devices registering internally, they will need to have the Enterprise CA installed. If you don’t have a BYOD/MDM solution, it may be easier to bite the bullet and get public certificates
 for your entire UC enterprise if that is important to you.</span></div> 
<div class="yiv0374023700MsoNormal"><span style="font-size:8.5pt;">  </span></div> 
<div class="yiv0374023700MsoNormal"><span style="font-size:8.5pt;">A couple of notes when generating your Certificates off your enterprise CA:</span></div> 
<div class="yiv0374023700MsoListParagraph" style=""><span style="font-size:8.5pt;font-family:Symbol;"><span style="">·<span style="font:7.0pt;">         
</span></span></span><span style="font-size:8.5pt;">Make sure the certificate template you are using is set for Client AND Server Authentication</span></div> 
<div class="yiv0374023700MsoListParagraph" style=""><span style="font-size:8.5pt;font-family:Symbol;"><span style="">·<span style="font:7.0pt;">         
</span></span></span><span style="font-size:8.5pt;">Make sure you are published certificate revocation lists (CRL/OCSP/AIA), that is accessible to all of your clients.. wherever they are. If you are using a Windows CA,
 by default it just published into LDAP/AD. This is a problem when clients are external, or not joined to the domain. The solution is to publisher to a directory on your CA and share that location via HTTP/HTTPS.</span></div> 
<div class="yiv0374023700MsoNormal"><span style="font-size:8.5pt;">  </span></div> 
<div class="yiv0374023700MsoNormal"><span style="font-size:8.5pt;">Hope this helps</span></div> 
<div class="yiv0374023700MsoNormal"><span style="font-size:11.0pt;">  </span></div> 
<div class="yiv0374023700MsoNormal"><span style="font-size:11.0pt;">  </span></div> 
<div>
<div class="yiv0374023700MsoNormal" style=""><b><span style="font-size:10.0pt;">Dennis Heim | Emerging Technology Architect (Collaboration)</span></b><span style="font-size:11.0pt;"></span></div> 
<div class="yiv0374023700MsoNormal" style=""><span style="font-size:10.0pt;">World Wide Technology, Inc. | +1 314-212-1814</span></div> 
<div class="yiv0374023700MsoNormal" style=""><a rel="nofollow" shape="rect" target="_blank" href="https://twitter.com/CollabSensei"><span style="font-size:11.0pt;"><img id="yiv0374023700Picture_x0020_1" border="0" width="124" height="25" src="cid:image001.png@01D062E5.4A13D170" alt="twitter" data-id="6f907f79-faaf-b443-0bc1-048698d08a9e"></span></a><span style="font-size:11.0pt;"></span></div> 
<div class="yiv0374023700MsoNormal" style=""><a rel="nofollow" shape="rect" href=""><span style="font-size:11.0pt;"><img id="yiv0374023700Picture_x0020_2" border="0" width="95" height="28" src="cid:image002.png@01D062E5.4A13D170" alt="chat" data-id="edee7666-0549-5bf1-6902-c4270fa50cdd"></span></a><a rel="nofollow" shape="rect" href=""><span style="font-size:11.0pt;"><img id="yiv0374023700Picture_x0020_3" border="0" width="95" height="28" src="cid:image003.png@01D062E5.4A13D170" alt="Phone" data-id="f944b6c1-9181-fdb5-a9cd-49e2b9d39efd"></span></a><a rel="nofollow" shape="rect" href=""><span style="font-size:11.0pt;"><img id="yiv0374023700Picture_x0020_4" border="0" width="95" height="28" src="cid:image004.png@01D062E5.4A13D170" alt="video" data-id="b1d5d343-49b6-aa53-f5f1-c26982c7d0fe"></span></a><span style="font-size:11.0pt;"></span></div> 
<div class="yiv0374023700MsoNormal" style=""><span style="font-size:8.0pt;">"Innovation happens on project squared" --
<a rel="nofollow" shape="rect" target="_blank" href="http://www.projectsquared.com/"><span style="color:#0563C1;">http://www.projectsquared.com</span></a></span></div> 
<div class="yiv0374023700MsoNormal" style=""><span style="font-size:8.0pt;">  </span></div> 
<div class="yiv0374023700MsoNormal"><u><span style="font-size:11.0pt;"><a rel="nofollow" shape="rect" target="_blank" href="https://wwt.webex.com/meet/dennis.heim"><span style="color:#0563C1;">Click here to join me in my Collaboration Meeting Room</span></a></span></u><u><span style="font-size:11.0pt;"></span></u></div> 
<div class="yiv0374023700MsoNormal" style=""><span style="font-size:8.0pt;">  </span></div> 
<div class="yiv0374023700MsoNormal" style=""><span style="font-size:11.0pt;">  </span></div> 
</div>
<div class="yiv0374023700MsoNormal"><span style="font-size:11.0pt;">  </span></div> 
<div class="qtdSeparateBR"><br><br></div><div class="yiv0374023700yqt8558749984" id="yiv0374023700yqt20720"><div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in;">
<div class="yiv0374023700MsoNormal"><b><span style="font-size:11.0pt;">From:</span></b><span style="font-size:11.0pt;"> cisco-voip [mailto:cisco-voip-bounces@puck.nether.net]
<b>On Behalf Of </b>Rajkumar Yadav<br clear="none">
<b>Sent:</b> Friday, March 20, 2015 4:58 AM<br clear="none">
<b>To:</b> cisco-voip@puck.nether.net<br clear="none">
<b>Subject:</b> [cisco-voip] Expressway certificate advice required.</span></div> 
</div>
</div>
<div class="yiv0374023700MsoNormal">  </div> 
<div>
<div id="yiv0374023700yui_3_16_0_1_1426835577685_24961">
<div class="yiv0374023700MsoNormal" style="background:white;"><span style="font-size:10.0pt;">Hi,</span></div> 
</div>
<div id="yiv0374023700yui_3_16_0_1_1426835577685_24960">
<div class="yiv0374023700MsoNormal" style="background:white;"><span style="font-size:10.0pt;">  </span></div> 
</div>
<div id="yiv0374023700yui_3_16_0_1_1426835577685_24959">
<div class="yiv0374023700MsoNormal" style="background:white;"><span style="font-size:10.0pt;">Need few clarification for the Expressway MRA and certificate.</span></div> 
</div>
<div id="yiv0374023700yui_3_16_0_1_1426835577685_24828">
<div class="yiv0374023700MsoNormal" style="background:white;"><span style="font-size:10.0pt;">  </span></div> 
</div>
<div id="yiv0374023700yui_3_16_0_1_1426835577685_24839">
<div class="yiv0374023700MsoNormal" style="background:white;"><span style="font-size:10.0pt;">we have bought Multi san certificate from Go Daddy for UC applications.</span></div> 
</div>
<div id="yiv0374023700yui_3_16_0_1_1426835577685_24840">
<div class="yiv0374023700MsoNormal" style="background:white;"><span style="font-size:10.0pt;">  </span></div> 
</div>
<div id="yiv0374023700yui_3_16_0_1_1426835577685_24841">
<div class="yiv0374023700MsoNormal" style="background:white;"><span style="font-size:10.0pt;">Step 1:</span></div> 
</div>
<div id="yiv0374023700yui_3_16_0_1_1426835577685_24842">
<div class="yiv0374023700MsoNormal" style="background:white;"><span style="font-size:10.0pt;">  </span></div> 
</div>
<div id="yiv0374023700yui_3_16_0_1_1426835577685_24843">
<div class="yiv0374023700MsoNormal" style="background:white;"><span style="font-size:10.0pt;">If the certificate management part is done on the CUCM publisher for Tomcat with Multi San capabilities it would include the FQDN of
 all CUCM ( Pub & Sub), CUC, Im & Presence and domain.com.</span></div> 
</div>
<div id="yiv0374023700yui_3_16_0_1_1426835577685_24843">
<div class="yiv0374023700MsoNormal" style="background:white;"><span style="font-size:10.0pt;">Also i have to repeat the step for the Im & Presence server with Cup XMPP.</span></div> 
</div>
<div id="yiv0374023700yui_3_16_0_1_1426835577685_24843">
<div class="yiv0374023700MsoNormal" style="background:white;"><span style="font-size:10.0pt;">  </span></div> 
</div>
<div id="yiv0374023700yui_3_16_0_1_1426835577685_24843">
<div class="yiv0374023700MsoNormal" style="background:white;"><span style="font-size:10.0pt;">Step2:</span></div> 
</div>
<div id="yiv0374023700yui_3_16_0_1_1426835577685_24843">
<div class="yiv0374023700MsoNormal" style="background:white;"><span style="font-size:10.0pt;">  </span></div> 
</div>
<div id="yiv0374023700yui_3_16_0_1_1426835577685_24843">
<div class="yiv0374023700MsoNormal" style="background:white;"><span style="font-size:10.0pt;">Now if I'm doing the expressway (MRA) certificate management for traversal zone with Multi San capabilities, then will it include all
 the above FQDN and is it i don't have to perform step 1.</span></div> 
</div>
<div id="yiv0374023700yui_3_16_0_1_1426835577685_24843">
<div class="yiv0374023700MsoNormal" style="background:white;"><span style="font-size:10.0pt;">  </span></div> 
</div>
<div id="yiv0374023700yui_3_16_0_1_1426835577685_24843">
<div class="yiv0374023700MsoNormal" style="background:white;"><span style="font-size:10.0pt;">If i don't perform step 1, will it Jabber clients will not throw error for certificate acceptance (both inside and outside).</span></div> 
</div>
<div id="yiv0374023700yui_3_16_0_1_1426835577685_24843">
<div class="yiv0374023700MsoNormal" style="background:white;"><span style="font-size:10.0pt;">  </span></div> 
</div>
<div id="yiv0374023700yui_3_16_0_1_1426835577685_24843">
<div class="yiv0374023700MsoNormal" style="background:white;"><span style="font-size:10.0pt;">Please confirm is it both need to be done or just step 2 is enough ?</span></div> 
</div>
<div id="yiv0374023700yui_3_16_0_1_1426835577685_24843">
<div class="yiv0374023700MsoNormal" style="background:white;"><span style="font-size:10.0pt;">  </span></div> 
</div>
<div id="yiv0374023700yui_3_16_0_1_1426835577685_24843">
<div class="yiv0374023700MsoNormal" style="background:white;"><span style="font-size:10.0pt;">  </span></div> 
</div>
<div id="yiv0374023700yui_3_16_0_1_1426835577685_24843">
<div class="yiv0374023700MsoNormal" style="background:white;"><span style="font-size:10.0pt;">Regards,</span></div> 
</div>
<div id="yiv0374023700yui_3_16_0_1_1426835577685_24843">
<div class="yiv0374023700MsoNormal" style="background:white;"><span style="font-size:10.0pt;">Raaj.</span></div> 
</div>
</div></div>
</div>
</div></div><br><br></div> </div> </div>  </div></body></html>