<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:inherit;
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
h1
{mso-style-priority:9;
mso-style-link:"Título 1 Car";
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:24.0pt;
font-family:"Calibri",sans-serif;
font-weight:bold;}
h4
{mso-style-priority:9;
mso-style-link:"Título 4 Car";
margin-top:2.0pt;
margin-right:0cm;
margin-bottom:0cm;
margin-left:0cm;
margin-bottom:.0001pt;
page-break-after:avoid;
font-size:11.0pt;
font-family:"Calibri Light",sans-serif;
color:#2F5496;
mso-fareast-language:EN-US;
font-weight:normal;
font-style:italic;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EstiloCorreo17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.Ttulo1Car
{mso-style-name:"Título 1 Car";
mso-style-priority:9;
mso-style-link:"Título 1";
font-family:"Calibri",sans-serif;
mso-fareast-language:ES-AR;
font-weight:bold;}
span.Ttulo4Car
{mso-style-name:"Título 4 Car";
mso-style-priority:9;
mso-style-link:"Título 4";
font-family:"Calibri Light",sans-serif;
color:#2F5496;
font-style:italic;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 3.0cm 70.85pt 3.0cm;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1028" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="ES-AR" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">Hi, Guys<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I am renewing the certificates in an Expressway X8.10.1 cluster. But I am running into a conflict between the official documentation and how CUCM works.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I have set both Expressway-C certificates to use the Cluster name for the Common Name and each server´s name as a SAN, as the oficial guide states.<o:p></o:p></p>
<p class="MsoNormal">But when I load both signed certificates into CUCM trust stores, it shows only one of the certificates, instead of both, as CUCM uses the CN tu build its listo f certs, and both ExpC´s CN is the same (Although they are two diferente certificates)<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">So, I started to re-read all related documents I could find and I found some contradictions that I do not now how to solve.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">On one hand, I have the official “Certificate Creation and Deployment Guide” that states:
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">“A certificate identifies the Expressway. It contains names by which it is known and to which traffic is routed. If the Expressway is known by multiple names for these purposes, such as if it is part of a cluster, this must be represented
in the X.509 subject data, according to the guidance of RFC5922. The certificate must contain the FQDN of both the Expressway itself and of the cluster. The following lists show what must be included in the X.509 subject, depending on the deployment model
chosen. <o:p></o:p></p>
<p class="MsoNormal">If the Expressway is not clustered:<o:p></o:p></p>
<p class="MsoNormal" style="text-indent:35.4pt"><span style="font-family:"Arial",sans-serif">■</span> Subject Common Name = FQDN of Expressway
<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:35.4pt"><span style="font-family:"Arial",sans-serif">■</span> Subject Alternate Names = leave blank*
<o:p></o:p></p>
<p class="MsoNormal">If the Expressway is clustered, with individual certificates per Expressway:
<o:p></o:p></p>
<p class="MsoNormal" style="text-indent:35.4pt"><span style="font-family:"Arial",sans-serif">■</span> Subject Common Name = FQDN of cluster
<o:p></o:p></p>
<p class="MsoNormal" style="text-indent:35.4pt"><span style="font-family:"Arial",sans-serif">■</span> Subject Alternate Name = FQDN of Expressway peer, FQDN of cluster*<o:p></o:p></p>
<p class="MsoNormal" style="text-indent:35.4pt"><o:p> </o:p></p>
<p class="MsoNormal"><a href="https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-10/Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X8-10.pdf">https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-10/Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X8-10.pdf</a><o:p></o:p></p>
<p class="MsoNormal" style="text-indent:35.4pt"><o:p> </o:p></p>
<p class="MsoNormal">On the other hand I have the “Configure and Troubleshoot Collaboration Edge (MRA) Certificates“ that says:
<o:p></o:p></p>
<p class="MsoNormal" style="text-indent:35.4pt"><o:p> </o:p></p>
<h4 style="mso-margin-top-alt:11.25pt;margin-right:0cm;margin-bottom:7.5pt;margin-left:0cm;line-height:14.4pt;background:white;vertical-align:baseline">
<span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#58585B">Cluster Certificates<o:p></o:p></span></h4>
<p style="mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:4.5pt;margin-left:0cm;line-height:16.5pt;background:white;vertical-align:baseline;font-variant-ligatures: normal;font-variant-caps: normal;font-variant-numeric: inherit;font-variant-east-asian: inherit;font-stretch: inherit;orphans: 2;text-align:start;widows: 2;-webkit-text-stroke-width: 0px;text-decoration-style: initial;text-decoration-color: initial;word-spacing:0px">
<span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#58585B">It is strongly recommended that if you have a cluster of Expressway-C or Expressway-E servers for redundancy that you generate a separate CSR for each server and have it signed by a
CA. Most deployments will use the server name for the subject and list all peers and the cluster ID as SANs. It is possible for you to use the cluster-id as the subject to use the same certificate for all nodes in the cluster, therefore avoiding the cost
of multiple certs signed by a public CA. If absolutely necessary, this can be done with the following process or by using OpenSSL to generate both the private key and CSR manually:<o:p></o:p></span></p>
<p style="mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:4.5pt;margin-left:0cm;line-height:16.5pt;background:white;vertical-align:baseline;font-variant-ligatures: normal;font-variant-caps: normal;font-variant-numeric: inherit;font-variant-east-asian: inherit;font-stretch: inherit;orphans: 2;text-align:start;widows: 2;-webkit-text-stroke-width: 0px;text-decoration-style: initial;text-decoration-color: initial;word-spacing:0px">
<span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#58585B">Step 1. Generate a CSR on the master of the cluster and configure it to list the cluster-alias as the subject. Add all peers in the cluster as alternative names, along with all other
required SANs.<o:p></o:p></span></p>
<p style="mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:4.5pt;margin-left:0cm;line-height:16.5pt;background:white;vertical-align:baseline;font-variant-ligatures: normal;font-variant-caps: normal;font-variant-numeric: inherit;font-variant-east-asian: inherit;font-stretch: inherit;orphans: 2;text-align:start;widows: 2;-webkit-text-stroke-width: 0px;text-decoration-style: initial;text-decoration-color: initial;word-spacing:0px">
<span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#58585B">Step 2. Sign this CSR and upload to the master peer.<o:p></o:p></span></p>
<p style="mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:4.5pt;margin-left:0cm;line-height:16.5pt;background:white;vertical-align:baseline;font-variant-ligatures: normal;font-variant-caps: normal;font-variant-numeric: inherit;font-variant-east-asian: inherit;font-stretch: inherit;orphans: 2;text-align:start;widows: 2;-webkit-text-stroke-width: 0px;text-decoration-style: initial;text-decoration-color: initial;word-spacing:0px">
<span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#58585B">Step 3. Log into the master as root and download the private key located in /tandberg/persistent/certs.<o:p></o:p></span></p>
<p style="mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:4.5pt;margin-left:0cm;line-height:16.5pt;background:white;vertical-align:baseline;font-variant-ligatures: normal;font-variant-caps: normal;font-variant-numeric: inherit;font-variant-east-asian: inherit;font-stretch: inherit;orphans: 2;text-align:start;widows: 2;-webkit-text-stroke-width: 0px;text-decoration-style: initial;text-decoration-color: initial;word-spacing:0px">
<span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#58585B">Step 4. Upload both the signed certificate and matching private key to each other peer in the cluster.<o:p></o:p></span></p>
<div style="mso-element:para-border-div;border-top:solid #CCCCCC 1.0pt;border-left:none;border-bottom:solid #CCCCCC 1.0pt;border-right:none;padding:8.0pt 0cm 8.0pt 0cm;background:white">
<p style="margin:0cm;margin-bottom:.0001pt;line-height:16.5pt;background:white;vertical-align:baseline;border:none;padding:0cm;border-right-style:initial;border-left-style:initial;border-right-color:initial;border-left-color:initial;border-image: initial;font-variant-ligatures: normal;font-variant-caps: normal;font-variant-numeric: inherit;font-variant-east-asian: inherit;font-stretch: inherit;orphans: 2;text-align:start;widows: 2;-webkit-text-stroke-width: 0px;text-decoration-style: initial;text-decoration-color: initial;overflow-x: hidden;background-position-x:2px;background-position-y:4px;word-spacing:0px">
<strong><span style="font-size:10.5pt;font-family:"inherit",serif;color:#58585B;border:none windowtext 1.0pt;padding:0cm">Note</span></strong><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#58585B">: This is not recommended for the following
reasons:<br>
1. It is a security risk because all peers are using the same private key. If one is somehow compromised an attacker can decrypt traffic from any of the servers. <br>
2. If a change needs to be made to the certificate, this entire process must be followed again rather than a simple CSR generation and signing.<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><a href="https://www.cisco.com/c/en/us/support/docs/unified-communications/expressway/213872-configure-and-troubleshoot-collaboration.html#anc17">https://www.cisco.com/c/en/us/support/docs/unified-communications/expressway/213872-configure-and-troubleshoot-collaboration.html#anc17</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">So, one says to use the cluster name, the other says the opposite. And I have the CUCM showing me only one cert intead of two.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">What should I do? Re-sign both certificates with the peer name as CN and cluster as SAN and be done with it? Ori s there a legitimate way to use the cluster name and not have issues with CUCM?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Right now, the Expressway cluster is in service, because I left the cluster´s main peer certificate showing in CUCM, but as far as I know, the backup peer won´t work.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">TIA,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><!--[if gte vml 1]><v:shapetype id="_x0000_t75" coordsize="21600,21600" o:spt="75" o:preferrelative="t" path="m@4@5l@4@11@9@11@9@5xe" filled="f" stroked="f">
<v:stroke joinstyle="miter" />
<v:formulas>
<v:f eqn="if lineDrawn pixelLineWidth 0" />
<v:f eqn="sum @0 1 0" />
<v:f eqn="sum 0 0 @1" />
<v:f eqn="prod @2 1 2" />
<v:f eqn="prod @3 21600 pixelWidth" />
<v:f eqn="prod @3 21600 pixelHeight" />
<v:f eqn="sum @0 0 1" />
<v:f eqn="prod @6 1 2" />
<v:f eqn="prod @7 21600 pixelWidth" />
<v:f eqn="sum @8 21600 0" />
<v:f eqn="prod @7 21600 pixelHeight" />
<v:f eqn="sum @10 21600 0" />
</v:formulas>
<v:path o:extrusionok="f" gradientshapeok="t" o:connecttype="rect" />
<o:lock v:ext="edit" aspectratio="t" />
</v:shapetype><v:shape id="Imagen_x0020_2" o:spid="_x0000_s1027" type="#_x0000_t75" style='position:absolute;margin-left:-.3pt;margin-top:83.25pt;width:201.85pt;height:60.1pt;z-index:251659264;visibility:visible;mso-wrap-style:square;mso-width-percent:0;mso-height-percent:0;mso-wrap-distance-left:9pt;mso-wrap-distance-top:0;mso-wrap-distance-right:9pt;mso-wrap-distance-bottom:0;mso-position-horizontal:absolute;mso-position-horizontal-relative:text;mso-position-vertical:absolute;mso-position-vertical-relative:page;mso-width-percent:0;mso-height-percent:0;mso-width-relative:margin;mso-height-relative:margin'>
<v:imagedata src="cid:image001.png@01D582B8.04178020" o:title="" />
<w:wrap type="square" anchory="page"/>
</v:shape><![endif]--><![if !vml]><img width="269" height="80" style="width:2.802in;height:.8333in" src="cid:image001.png@01D582B8.04178020" align="left" hspace="12" v:shapes="Imagen_x0020_2"><![endif]><b><span style="font-family:"Arial",sans-serif;color:#E41E26;mso-fareast-language:ES-AR">Ariel
Roza</span></b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#1F497D;mso-fareast-language:ES-AR"><br>
</span><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#404040;mso-fareast-language:ES-AR">Support & Maintenance</span></b><b><span style="font-size:10.0pt;color:#404040;mso-fareast-language:ES-AR">
</span></b><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#404040;mso-fareast-language:ES-AR">Engineer</span></b><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#3F4243;mso-fareast-language:ES-AR"> | Latam</span></b><span style="color:black;mso-fareast-language:ES-AR"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES" style="font-size:9.0pt;font-family:"Arial",sans-serif;color:#3F4243;mso-fareast-language:ES-AR">t:</span><span lang="ES" style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#3F4243;mso-fareast-language:ES-AR"> +54
11 5282-0458 / c: +54 11 5017-4417 / webex: <a href="https://logicalis-la.webex.com/join/ariel.roza">
<span style="color:#0563C1">https://logicalis-la.webex.com/join/ariel.roza</span></a><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES" style="font-size:9.0pt;font-family:"Arial",sans-serif;color:#3F4243;mso-fareast-language:ES-AR">Av. Belgrano 955 – Piso 20 – CABA – Argentina – C1092AAJ</span><span lang="ES" style="color:black;mso-fareast-language:ES-AR"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES" style="color:black;mso-fareast-language:ES-AR"><a href="http://www.la.logicalis.com/"><span lang="EN-US" style="font-size:9.0pt;font-family:"Arial",sans-serif;color:#E41E26">www.la.logicalis.com</span></a></span><span lang="EN-US" style="color:black;mso-fareast-language:ES-AR"><o:p></o:p></span></p>
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:9.0pt;font-family:"Arial",sans-serif;color:#3F4243;mso-fareast-language:ES-AR">Business
</span></b><b><span lang="EN-GB" style="font-size:9.0pt;font-family:"Arial",sans-serif;color:#3F4243;mso-fareast-language:ES-AR">and technology working as one</span></b><b><span lang="EN-GB" style="font-size:9.0pt;color:#3F4243;mso-fareast-language:ES-AR"> </span></b><span lang="EN-US" style="color:black;mso-fareast-language:ES-AR"><o:p></o:p></span></p>
<p class="MsoNormal"><!--[if gte vml 1]><v:shape id="Imagen_x0020_3" o:spid="_x0000_s1026" type="#_x0000_t75" style='position:absolute;margin-left:125.25pt;margin-top:6.55pt;width:57pt;height:21.25pt;z-index:251660288;visibility:visible;mso-wrap-style:square;mso-width-percent:0;mso-height-percent:0;mso-wrap-distance-left:0;mso-wrap-distance-top:0;mso-wrap-distance-right:0;mso-wrap-distance-bottom:0;mso-position-horizontal:absolute;mso-position-horizontal-relative:margin;mso-position-vertical:absolute;mso-position-vertical-relative:text;mso-width-percent:0;mso-height-percent:0;mso-width-relative:margin;mso-height-relative:margin'>
<v:imagedata src="cid:image002.png@01D582B8.04178020" o:title="" />
<w:wrap type="square" anchorx="margin"/>
</v:shape><![endif]--><![if !vml]><img width="76" height="28" style="width:.7916in;height:.2916in" src="cid:image003.jpg@01D582BA.3104E530" align="left" v:shapes="Imagen_x0020_3"><![endif]><span style="color:#1F497D;mso-fareast-language:ES-AR"><img border="0" width="166" height="40" style="width:1.7291in;height:.4166in" id="Imagen_x0020_1" src="cid:image004.png@01D582B8.04178020"></span><a href="https://www.instagram.com/logicalislatam/"><span style="font-size:8.0pt;color:#1F497D;mso-fareast-language:ES-AR;text-decoration:none"><img border="0" width="25" height="25" style="width:.2604in;height:.2604in" id="Imagen_x0020_2" src="cid:image005.png@01D582B8.04178020"></span></a><a href="https://www.facebook.com/logicalislatam"><span style="color:#0563C1;mso-fareast-language:ES-AR;text-decoration:none"><img border="0" width="25" height="25" style="width:.2604in;height:.2604in" id="Imagen_x0020_3" src="cid:image006.png@01D582B8.04178020"></span></a><a href="https://twitter.com/logicalislatam"><span style="font-size:8.0pt;color:#1F497D;mso-fareast-language:ES-AR;text-decoration:none"><img border="0" width="25" height="25" style="width:.2604in;height:.2604in" id="Imagen_x0020_4" src="cid:image007.png@01D582B8.04178020"></span></a><a href="https://ar.linkedin.com/company/logicalis-latam"><span style="font-size:8.0pt;color:#1F497D;mso-fareast-language:ES-AR;text-decoration:none"><img border="0" width="25" height="25" style="width:.2604in;height:.2604in" id="Imagen_x0020_5" src="cid:image008.png@01D582B8.04178020"></span></a><a href="https://www.youtube.com/logicalislatam"><span style="font-size:8.0pt;color:#1F497D;mso-fareast-language:ES-AR;text-decoration:none"><img border="0" width="25" height="25" style="width:.2604in;height:.2604in" id="Imagen_x0020_6" src="cid:image009.png@01D582B8.04178020"></span></a><span lang="ES" style="color:#1F497D;mso-fareast-language:ES-AR"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D;mso-fareast-language:ES-AR"><img border="0" width="199" height="49" style="width:2.0729in;height:.5104in" id="Imagen_x0020_7" src="cid:image010.jpg@01D582B8.04178020"></span><span style="font-size:8.0pt;color:#1F497D;mso-fareast-language:ES-AR"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:#A6A6A6;mso-fareast-language:ES-AR">Logicalis Argentina S.A. solo puede ser obligado por sus representantes legales conforme los límites establecidos en el acto constitutivo
y la legislación en vigor. <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:#A6A6A6;mso-fareast-language:ES-AR">El contenido del presente correo electrónico e inclusive sus anexos contienen información confidencial.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:#A6A6A6;mso-fareast-language:ES-AR">El mismo no puede ser divulgado y/o utilizado por cualquiera otro distinto al destinatario, ni puede ser copiado de cualquier forma</span><span style="mso-fareast-language:ES-AR"><o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>