<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto">I second the DigiCert recommendation. They are unique in that they let you generate multiple server certificates (using multiple private keys) under the same multi-SAN cert order. <div><br></div><div>You just add all of the fqdns to the same certificate order (via the CSR) and when you generate the multiSAN CSR from each server (or cluster) you will add the fqdn of the other servers as alternative names. So when you generate a Unity Connection CSR, you will add the cucm nodes, CCX nodes, etc as alternative names. If you don’t do that, digicert will invalidate any previous signed certs under that order so make sure you include the same alternative names in every CSR.<div><br></div><div>Every other provider we’ve reviewed requires you to either share the private keys (which Cisco UC servers don’t allow) or they make you order separate multi-SAN certs per cluster.<br><br><div id="AppleMailSignature"><p style="margin: 0px; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Helvetica;"><span style="font-size: 12pt;">Sent from an iOS device with very tiny touchscreen input keys. Please excude my typtos.</span></p></div><div><br>On Jun 28, 2018, at 10:24 AM, Charles Goldsmith <<a href="mailto:wokka@justfamily.org">wokka@justfamily.org</a>> wrote:<br><br></div><blockquote type="cite"><div><div dir="ltr">Generate a CSR from each server type (CUCM, CUC, UCCX, and each expressway) and load all hostnames into each server, including your cluster name of the expressway and the domain name. At Digicert, load your csr, make sure the Common name matches the CSR that the server came from. Once you have one cluster done, go back into the order and request duplicate, load your 2nd csr, check the common name and issue the duplicate. Rinse and repeat for all systems.<div><br></div><div>Expressway clusters do not support multi-san, so just duplicate for each node.</div></div><br><div class="gmail_quote"><div dir="ltr">On Thu, Jun 28, 2018 at 10:17 AM Lelio Fulgenzi <<a href="mailto:lelio@uoguelph.ca">lelio@uoguelph.ca</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple">
<div class="m_-7454991022443252273WordSection1">
<p class="MsoNormal">Wait. What? I understand how the internals of CUCM and IMP can distribute one multi-san cert (built on the publisher’s CSR) to each CUCM and IMP node and uses private keys to ensure they load, but….<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">How the heck do you install a cert that was built on the pub’s CSR into CUC and UCCx? Or Expressway for that matter?<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">We are a digicert client, so if you have specific breadcrumbs / drop down options, feel free to share.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Lelio<u></u><u></u></p></div></div><div lang="EN-US" link="blue" vlink="purple"><div class="m_-7454991022443252273WordSection1">
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif">---<u></u><u></u></span></p>
<p class="MsoNormal"><b><span style="font-family:"Arial",sans-serif">Lelio Fulgenzi, B.A.</span></b><span style="font-family:"Arial",sans-serif"> | Senior Analyst<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif;color:#333333">Computing and Communications Services</span><span style="font-family:"Arial",sans-serif"> | University of Guelph<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif">Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"><a href="tel:(519)%20824-4120" value="+15198244120" target="_blank">519-824-4120 Ext. 56354</a> |
<a href="mailto:lelio@uoguelph.ca" target="_blank"><span style="color:#0563c1">lelio@uoguelph.ca</span></a><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"><u></u> <u></u></span></p>
</div></div><div lang="EN-US" link="blue" vlink="purple"><div class="m_-7454991022443252273WordSection1"><p class="MsoNormal"><a href="http://www.uoguelph.ca/ccs" target="_blank"><span style="font-family:"Arial",sans-serif">www.uoguelph.ca/ccs</span></a><span style="font-family:"Arial",sans-serif;color:#1f497d"> | @UofGCCS on Instagram, Twitter and Facebook<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"><u></u> <u></u></span></p>
<p class="MsoNormal"><img border="0" width="187" height="100" style="width:1.9479in;height:1.0416in" id="m_-7454991022443252273Picture_x0020_1" src="cid:image001.png@01D40ED1.8BDD5900" alt="University of Guelph Cornerstone with Improve Life tagline"><u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><b>From:</b> Charles Goldsmith <<a href="mailto:wokka@justfamily.org" target="_blank">wokka@justfamily.org</a>> <br>
<b>Sent:</b> Thursday, June 28, 2018 10:40 AM<br>
<b>To:</b> Lelio Fulgenzi <<a href="mailto:lelio@uoguelph.ca" target="_blank">lelio@uoguelph.ca</a>><br>
<b>Cc:</b> voyp list, cisco-voip (<a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a>) <<a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a>><br>
<b>Subject:</b> Re: [cisco-voip] multi-SAN / server certificates vs individual certs (CUCM/IMP)<u></u><u></u></p></div></div><div lang="EN-US" link="blue" vlink="purple"><div class="m_-7454991022443252273WordSection1">
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">I've used multi-san certs on at least a dozen installs and have had no issues at all. In fact, with a good SSL provider, you can use the same Multi-SAN on CUCM, CUC, UCCX, Expressways. I like how Digicert does it, just duplicate the cert
and make sure all of the hostnames are listed in the SAN.<u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<div>
<p class="MsoNormal">On Thu, Jun 28, 2018 at 9:37 AM Lelio Fulgenzi <<a href="mailto:lelio@uoguelph.ca" target="_blank">lelio@uoguelph.ca</a>> wrote:<u></u><u></u></p>
</div>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<p class="MsoNormal"><br>
We're in the process of installing signed certs and we have the choice between multi-SAN cert with the publisher CSR and rely on the internals to have that cert distributed to the subs and the imp nodes -OR- go with individual certs.<br>
<br>
It's a last minute thing, so I still need to do some research, but I'm wondering what people have been doing out there. We're less concerned with cost than we are future stability. I know that this multi-san support is recent with v10.x - have they ironed out
the bugs? We're going with 11.5.<br>
<br>
Thoughts?<br>
<br>
<br>
---<br>
Lelio Fulgenzi, B.A. | Senior Analyst<br>
Computing and Communications Services | University of Guelph<br>
Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1<br>
<a href="tel:(519)%20824-4120" target="_blank">519-824-4120 Ext. 56354</a> | <a href="mailto:lelio@uoguelph.ca" target="_blank">
lelio@uoguelph.ca</a><mailto:<a href="mailto:lelio@uoguelph.ca" target="_blank">lelio@uoguelph.ca</a>><br>
<br>
<a href="http://www.uoguelph.ca/ccs" target="_blank">www.uoguelph.ca/ccs</a><<a href="http://www.uoguelph.ca/ccs" target="_blank">http://www.uoguelph.ca/ccs</a>> | @UofGCCS on Instagram, Twitter and Facebook<br>
<br>
[University of Guelph Cornerstone with Improve Life tagline]<br>
<br>
_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><u></u><u></u></p>
</blockquote>
</div>
</div></div></blockquote></div>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>cisco-voip mailing list</span><br><span><a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a></span><br><span><a href="https://puck.nether.net/mailman/listinfo/cisco-voip">https://puck.nether.net/mailman/listinfo/cisco-voip</a></span><br></div></blockquote></div></div></body></html>