<div dir="ltr">Justin,<div><br></div><div>TLDs are like .com, .net, .org , etc. I think you meant parent domain.</div><div><br></div><div>Also, is that a feature of the multiserver cert, because I don't see CER for example putting the parent domain in the CSR.</div></div><br><div class="gmail_quote"><div dir="ltr">On Tue, Jul 21, 2015 at 10:24 AM Justin Steinberg <<a href="mailto:jsteinberg@gmail.com">jsteinberg@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">While we are on the topic of certs, has anyone had issues with certain CAs not allowing top level domain as a SAN (e.g. <a href="http://cisco.com" target="_blank">cisco.com</a>) ?<div><br></div><div>GoDaddy would complain in the UI that you shouldn't have a top level domain as a SAN but would still sign the cert. I'm having a problem know with Internet2/Incommon where it won't let me put a top level domain in the cert as a SAN. It just won't take the CSR.</div></div><div dir="ltr"><div><br></div><div>Justin</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jul 21, 2015 at 8:16 AM, NateCCIE <span dir="ltr"><<a href="mailto:nateccie@gmail.com" target="_blank">nateccie@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="blue" vlink="purple"><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">I think it’s 15 SANS plus *.<a href="http://domain.com" target="_blank">domain.com</a> and <a href="http://domain.com" target="_blank">domain.com</a><u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Pricing is at <a href="https://www.digicert.com/wildcard-ssl-certificates.htm" target="_blank">https://www.digicert.com/wildcard-ssl-certificates.htm</a><u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> cisco-voip [mailto:<a href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">cisco-voip-bounces@puck.nether.net</a>] <b>On Behalf Of </b>Anthony Holloway<br><b>Sent:</b> Monday, July 20, 2015 11:49 PM<br><b>To:</b> Charles Goldsmith; Ian Anderson<br><b>Cc:</b> Cisco VOIP</span></p><div><div><br><b>Subject:</b> Re: [cisco-voip] Digicert Wildcard certificates<u></u><u></u></div></div><p></p><div><div><p class="MsoNormal"><u></u> <u></u></p><div><p class="MsoNormal">That's great to hear about digicert. I just went through a rough time with Comodo trying to get multiserver certs and my CNAMEs in the SAN field. How many SAN entries does digicert limit you to and at what price per year?<u></u><u></u></p></div><p class="MsoNormal"><u></u> <u></u></p><div><div><p class="MsoNormal">On Mon, Jul 20, 2015 at 11:19 AM Charles Goldsmith <<a href="mailto:wokka@justfamily.org" target="_blank">wokka@justfamily.org</a>> wrote:<u></u><u></u></p></div><blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in"><div><p class="MsoNormal">One thing of note, Digicert works very well with all of our UC apps with their UC certificate. Add all of your server names as SAN's, as well as the domain name, and just duplicate the certificate for each app, changing the CN. It works well and also Digicert has great support.<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p><div><p class="MsoNormal">On Sun, Jul 19, 2015 at 4:27 AM, Ian Anderson <<a href="mailto:ia@andersoi.co.uk" target="_blank">ia@andersoi.co.uk</a>> wrote:<u></u><u></u></p><blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in"><div><p class="MsoNormal">Hi Nate,<u></u><u></u></p><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">I think that the concern of using wildcards generaly comes from the security and compliance folks in that if the private key of any of the servers was to be compromised then the resulting public and private keys could be used to impersonate any subdomain, e.g <a href="http://e-payments.domain.com" target="_blank">e-payments.domain.com</a>..<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">That said, as long as the customer is aware of the risk then the digicert is a fantastic option, although a lot of these issues go away in 10.5.<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">The only app I've had it completely throw a wobble on so far is UCCX 9.0 as this was checking the CN on certificate upload and didn't like * even though the server name as in the SAN.<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">Cheers<u></u><u></u></p></div><div><p class="MsoNormal"><span style="color:#888888"><u></u> <u></u></span></p></div><div><p class="MsoNormal"><span style="color:#888888">Ian<u></u><u></u></span></p></div></div><div><div><div><p class="MsoNormal"><u></u> <u></u></p><div><p class="MsoNormal">On 16 July 2015 at 02:35, NateCCIE <<a href="mailto:nateccie@gmail.com" target="_blank">nateccie@gmail.com</a>> wrote:<u></u><u></u></p><blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in"><div><div><p class="MsoNormal">Most of the time wildcard certs mean you have a CSR and a private key generated by something, and then you upload the private key and the public key to lots of servers. The application would need to be able to upload a private key and not require its own CSR. <u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">Cucm, unity cxn, uccx, do not support uploading a private key. <u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">Expressway, I think conductor do allow you to upload a private key. <u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">But what makes digicert really cool is you can buy the wildcard cert, then you keep reissuing a new certificate from that one purchase.<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">You can do this from what I understand an unlimited times.<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">There may be other CAs that do this. I saw one the seemed like it was going to work, but since the CSR did not include the * as a SAN, they would not issue the cert.<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">Digicert with the Willard includes the *.<a href="http://domain.com" target="_blank">domain.com</a> and <a href="http://domain.com" target="_blank">domain.com</a> SANs automatically, and you can specify about 15 other SANs for each CSR/cert.<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">So cucm and the other apps are happy because the cert was generated using its own CSR.<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">Using these certs, I had one TAC case where cucm balked at the cert, but I could upload the cluster wide tomcat SAN cert via im&p. This turned out to be a problem with the domain casing not matching between all of the servers and the cert. always use <a href="http://domain.com" target="_blank">domain.com</a> and not <a href="http://DOMain.com" target="_blank">DOMain.com</a> and life is happy. <u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">I am not affiliated with digicert other than they are here in Utah also. It just makes life really easy to tell the customer to buy this one cert and O I can make all of the Cisco UC/jabber cert errors go away!<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">Ps. Has anyone figured out what to do with conductor wanting IP address in the SAN?<br><br>Sent from my iPhone<u></u><u></u></p></div><div><p class="MsoNormal" style="margin-bottom:12.0pt"><br>On Jul 15, 2015, at 10:42 AM, Anthony Holloway <<a href="mailto:avholloway+cisco-voip@gmail.com" target="_blank">avholloway+cisco-voip@gmail.com</a>> wrote:<u></u><u></u></p></div><blockquote style="margin-top:5.0pt;margin-bottom:5.0pt"><div><div><p class="MsoNormal">I'm a little confused here. According to this article: <a href="http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-callmanager/115957-high-level-view-ca-00.html#wildcard" target="_blank">http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-callmanager/115957-high-level-view-ca-00.html#wildcard</a>, and this defect ID: <a href="https://tools.cisco.com/bugsearch/bug/CSCta14114/" target="_blank">https://tools.cisco.com/bugsearch/bug/CSCta14114/</a>, wild card certs are not supported. Are we talking about the same thing here?<u></u><u></u></p></div><p class="MsoNormal"><u></u> <u></u></p><div><div><p class="MsoNormal">On Wed, Jul 15, 2015 at 10:08 AM Eric Pedersen <<a href="mailto:PedersenE@bennettjones.com" target="_blank">PedersenE@bennettjones.com</a>> wrote:<u></u><u></u></p></div><blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in"><div><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Digicert lets you put your domain and subdomains of any level as SANs. It’s great! They even generated a duplicate certificate for me with a different root CA that was supported with WebEx enabled Telepresence. We use their wildcard certificates on all of our UC servers.</span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><u></u><u></u></p><div><div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in"><p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif"> cisco-voip [mailto:<a href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">cisco-voip-bounces@puck.nether.net</a>] <b>On Behalf Of </b>Heim, Dennis<br><b>Sent:</b> 15 July 2015 8:28 AM<br><b>To:</b> Ian Anderson; NateCCIE; Cisco VOIP</span><u></u><u></u></p></div></div></div></div><div><div><div><div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in"><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif"><br><b>Subject:</b> Re: [cisco-voip] Digicert Wildcard certificates</span><u></u><u></u></p></div></div></div></div><div><div><p class="MsoNormal"> <u></u><u></u></p><p class="MsoNormal"><a name="msg-f:1507319915810210080_14eb08be1167dcba_msg-f:1507232751735577816_14ea5daea03939"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">I’ve found the hardest thing to find a cert providers that likes putting the domain as a san such as DNS=mycollab.com. Has anyone found any providers that are kosher with that? From one of the Cisco Live sessions, I was told this is needed for service discovery to function properly.</span></a><u></u><u></u></p></div></div><div><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><u></u><u></u></p><p class="MsoNormal" style="text-autospace:none"><b><span style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:black">Dennis Heim | Emerging Technology Architect (Collaboration)</span></b><u></u><u></u></p><p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:black">World Wide Technology, Inc. | <a href="tel:%2B1%20314-212-1814" target="_blank">+1 314-212-1814</a></span><u></u><u></u></p><p class="MsoNormal" style="text-autospace:none"><a href="https://twitter.com/CollabSensei" target="_blank"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;text-decoration:none"><img border="0" width="124" height="25" alt="twitter" src="cid:f03284eff798361e_0.0.1"></span></a><u></u><u></u></p><p class="MsoNormal" style="text-autospace:none"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><image002.png></span><a href="tel:+13142121814" target="_blank"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d;text-decoration:none"><image003.png></span></a><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><image004.png></span><u></u><u></u></p><p class="MsoNormal" style="text-autospace:none"><span style="font-size:8.0pt;font-family:"Calibri",sans-serif;color:#1f497d">“There is a fine line between Wrong and Visionary. Unfortunately, you have to be a visionary to see it." – Sheldon Cooper</span><u></u><u></u></p><p class="MsoNormal" style="text-autospace:none"><span style="font-size:8.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><u></u><u></u></p><p class="MsoNormal"><a href="https://wwt.webex.com/meet/dennis.heim" target="_blank"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#0563c1">Click here to join me in my Collaboration Meeting Room</span></a><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><u></u><u></u></p></div></div><div><div><p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> cisco-voip [<a href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">mailto:cisco-voip-bounces@puck.nether.net</a>] <b>On Behalf Of </b>Ian Anderson</span><u></u><u></u></p></div></div><div><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><br><b>Sent:</b> Wednesday, July 15, 2015 10:18 AM<br><b>To:</b> NateCCIE; Cisco VOIP<br><b>Subject:</b> Re: [cisco-voip] Digicert Wildcard certificates</span><u></u><u></u></p></div></div><div><div><p class="MsoNormal"> <u></u><u></u></p><div><div><p class="MsoNormal"> <u></u><u></u></p><div><p class="MsoNormal">On 15 July 2015 at 15:02, NateCCIE <<a href="mailto:nateccie@gmail.com" target="_blank">nateccie@gmail.com</a>> wrote:<u></u><u></u></p><blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt"><div><div><p class="MsoNormal">Did you put all of your SANs in the digicert page?<u></u><u></u></p></div><div><p class="MsoNormal"><span style="color:#1f497d">z</span><u></u><u></u></p></div><div><p class="MsoNormal" style="margin-bottom:12.0pt">I have this working on all of my expressway installs. <u></u><u></u></p></div></div></blockquote><div><p class="MsoNormal">Hi Nate, <u></u><u></u></p></div><div><p class="MsoNormal"> <u></u><u></u></p></div><div><p class="MsoNormal">Thanks for the quick response, just for preservation in the archives for future posterity and confirmation that digicert seems fine despite the warnings in the manuals, it seemed I was running into 2 separate issues.<u></u><u></u></p></div><div><p class="MsoNormal"> <u></u><u></u></p></div><div><p class="MsoNormal">1) I had uploaded the intermediate cert, but needed to manually download and upload the root CA<u></u><u></u></p></div><div><p class="MsoNormal">2) That then got me past the TLS error, only to find that I had fat-fingered the hostname in the SAN field :-(<u></u><u></u></p></div><div><p class="MsoNormal"> <u></u><u></u></p></div><div><p class="MsoNormal">Cheers<u></u><u></u></p></div><div><p class="MsoNormal"> <u></u><u></u></p></div><div><p class="MsoNormal">Ian <u></u><u></u></p></div></div></div></div></div></div><div><p class="MsoNormal"><br><br>The contents of this message may contain confidential and/or privileged subject matter. If this message has been received in error, please contact the sender and delete all copies. Like other forms of communication, e-mail communications may be vulnerable to interception by unauthorized parties. If you do not wish us to communicate with you by e-mail, please notify us at your earliest convenience. In the absence of such notification, your consent is assumed. Should you choose to allow us to communicate by e-mail, we will not take any additional security measures (such as encryption) unless specifically requested. <br><br>If you no longer wish to receive commercial messages, you can unsubscribe by accessing this link: <a href="http://www.bennettjones.com/unsubscribe" target="_blank">http://www.bennettjones.com/unsubscribe</a> <u></u><u></u></p></div><p class="MsoNormal">_______________________________________________<br>cisco-voip mailing list<br><a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br><a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><u></u><u></u></p></blockquote></div></div></blockquote></div></blockquote></div><p class="MsoNormal"><u></u> <u></u></p></div></div></div><p class="MsoNormal" style="margin-bottom:12.0pt"><br>_______________________________________________<br>cisco-voip mailing list<br><a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br><a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><u></u><u></u></p></blockquote></div><p class="MsoNormal"><u></u> <u></u></p></div><p class="MsoNormal">_______________________________________________<br>cisco-voip mailing list<br><a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br><a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><u></u><u></u></p></blockquote></div></div></div></div></div><br>_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" rel="noreferrer" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>
<br></blockquote></div><br></div>
</blockquote></div>