<div dir="ltr">No problem, thanks for adding your insight.<div><br></div><div>There are a couple of other providers that do duplication as well, they just call it something different, but I haven't worked with them directly. I'm told godaddy now supports it, but they only sell the SANs in blocks of 5.</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr">On Thu, Jun 28, 2018 at 10:39 AM Bill Talley <<a href="mailto:btalley@gmail.com">btalley@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto">Scrolling through my phone and inadvertently replied to Charles email when it popped up instead of Lelio’s. Sorry for duplicating what Charles said 🤪</div><div dir="auto"><br><br><div id="m_1100459303574437030AppleMailSignature"><p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:Helvetica"><span style="font-size:12pt">Sent from an iOS device with very tiny touchscreen input keys. Please excude my typtos.</span></p></div><div><br>On Jun 28, 2018, at 10:24 AM, Charles Goldsmith <<a href="mailto:wokka@justfamily.org" target="_blank">wokka@justfamily.org</a>> wrote:<br><br></div></div><div dir="auto"><blockquote type="cite"><div><div dir="ltr">Generate a CSR from each server type (CUCM, CUC, UCCX, and each expressway) and load all hostnames into each server, including your cluster name of the expressway and the domain name. At Digicert, load your csr, make sure the Common name matches the CSR that the server came from. Once you have one cluster done, go back into the order and request duplicate, load your 2nd csr, check the common name and issue the duplicate. Rinse and repeat for all systems.<div><br></div><div>Expressway clusters do not support multi-san, so just duplicate for each node.</div></div><br><div class="gmail_quote"><div dir="ltr">On Thu, Jun 28, 2018 at 10:17 AM Lelio Fulgenzi <<a href="mailto:lelio@uoguelph.ca" target="_blank">lelio@uoguelph.ca</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple">
<div class="m_1100459303574437030m_-7454991022443252273WordSection1">
<p class="MsoNormal">Wait. What? I understand how the internals of CUCM and IMP can distribute one multi-san cert (built on the publisher’s CSR) to each CUCM and IMP node and uses private keys to ensure they load, but….<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">How the heck do you install a cert that was built on the pub’s CSR into CUC and UCCx? Or Expressway for that matter?<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">We are a digicert client, so if you have specific breadcrumbs / drop down options, feel free to share.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Lelio<u></u><u></u></p></div></div><div lang="EN-US" link="blue" vlink="purple"><div class="m_1100459303574437030m_-7454991022443252273WordSection1">
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif">---<u></u><u></u></span></p>
<p class="MsoNormal"><b><span style="font-family:"Arial",sans-serif">Lelio Fulgenzi, B.A.</span></b><span style="font-family:"Arial",sans-serif"> | Senior Analyst<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif;color:#333333">Computing and Communications Services</span><span style="font-family:"Arial",sans-serif"> | University of Guelph<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif">Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"><a href="tel:(519)%20824-4120" value="+15198244120" target="_blank">519-824-4120 Ext. 56354</a> |
<a href="mailto:lelio@uoguelph.ca" target="_blank"><span style="color:#0563c1">lelio@uoguelph.ca</span></a><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"><u></u> <u></u></span></p>
</div></div><div lang="EN-US" link="blue" vlink="purple"><div class="m_1100459303574437030m_-7454991022443252273WordSection1"><p class="MsoNormal"><a href="http://www.uoguelph.ca/ccs" target="_blank"><span style="font-family:"Arial",sans-serif">www.uoguelph.ca/ccs</span></a><span style="font-family:"Arial",sans-serif;color:#1f497d"> | @UofGCCS on Instagram, Twitter and Facebook<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"><u></u> <u></u></span></p>
<p class="MsoNormal"><img border="0" width="187" height="100" style="width:1.9479in;height:1.0416in" id="m_1100459303574437030m_-7454991022443252273Picture_x0020_1" src="cid:image001.png@01D40ED1.8BDD5900" alt="University of Guelph Cornerstone with Improve Life tagline"><u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><b>From:</b> Charles Goldsmith <<a href="mailto:wokka@justfamily.org" target="_blank">wokka@justfamily.org</a>> <br>
<b>Sent:</b> Thursday, June 28, 2018 10:40 AM<br>
<b>To:</b> Lelio Fulgenzi <<a href="mailto:lelio@uoguelph.ca" target="_blank">lelio@uoguelph.ca</a>><br>
<b>Cc:</b> voyp list, cisco-voip (<a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a>) <<a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a>><br>
<b>Subject:</b> Re: [cisco-voip] multi-SAN / server certificates vs individual certs (CUCM/IMP)<u></u><u></u></p></div></div><div lang="EN-US" link="blue" vlink="purple"><div class="m_1100459303574437030m_-7454991022443252273WordSection1">
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">I've used multi-san certs on at least a dozen installs and have had no issues at all. In fact, with a good SSL provider, you can use the same Multi-SAN on CUCM, CUC, UCCX, Expressways. I like how Digicert does it, just duplicate the cert
and make sure all of the hostnames are listed in the SAN.<u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<div>
<p class="MsoNormal">On Thu, Jun 28, 2018 at 9:37 AM Lelio Fulgenzi <<a href="mailto:lelio@uoguelph.ca" target="_blank">lelio@uoguelph.ca</a>> wrote:<u></u><u></u></p>
</div>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<p class="MsoNormal"><br>
We're in the process of installing signed certs and we have the choice between multi-SAN cert with the publisher CSR and rely on the internals to have that cert distributed to the subs and the imp nodes -OR- go with individual certs.<br>
<br>
It's a last minute thing, so I still need to do some research, but I'm wondering what people have been doing out there. We're less concerned with cost than we are future stability. I know that this multi-san support is recent with v10.x - have they ironed out
the bugs? We're going with 11.5.<br>
<br>
Thoughts?<br>
<br>
<br>
---<br>
Lelio Fulgenzi, B.A. | Senior Analyst<br>
Computing and Communications Services | University of Guelph<br>
Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1<br>
<a href="tel:(519)%20824-4120" target="_blank">519-824-4120 Ext. 56354</a> | <a href="mailto:lelio@uoguelph.ca" target="_blank">
lelio@uoguelph.ca</a><mailto:<a href="mailto:lelio@uoguelph.ca" target="_blank">lelio@uoguelph.ca</a>><br>
<br>
<a href="http://www.uoguelph.ca/ccs" target="_blank">www.uoguelph.ca/ccs</a><<a href="http://www.uoguelph.ca/ccs" target="_blank">http://www.uoguelph.ca/ccs</a>> | @UofGCCS on Instagram, Twitter and Facebook<br>
<br>
[University of Guelph Cornerstone with Improve Life tagline]<br>
<br>
_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><u></u><u></u></p>
</blockquote>
</div>
</div></div></blockquote></div>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>cisco-voip mailing list</span><br><span><a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a></span><br><span><a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a></span><br></div></blockquote></div></blockquote></div>