<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto">Great info Anthony, thanks.<div><br></div><div>Question, what do you do for Expressway Core if you don’t have an internal CA to sign the EXPC (meaning no internal root cert to upload to EXPE to establish the traversal zone trust)?<br><br><div dir="ltr">Sent from an iPhone mobile device with very tiny touchscreen input keys. Please excude my typtos.</div><div dir="ltr"><br><blockquote type="cite">On Apr 17, 2020, at 3:25 PM, Anthony Holloway <avholloway+cisco-voip@gmail.com> wrote:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr"><div dir="ltr">This might be an unpopular opinion, but I think using the free certs provided by let's encrypt, coupled with it being automatic from now on, it's just an unbeatable combination.<div><br></div><div>Here are my cliff notes:</div><div><br></div><div><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Reference Document:</p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><a href="https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/expressway/config_guide/X12-5/exwy_b_certificate-creation-use-deployment-guide/exwy_b_certificate-creation-use-deployment-guide_chapter_0100.html" style="color:rgb(5,99,193)">https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/expressway/config_guide/X12-5/exwy_b_certificate-creation-use-deployment-guide/exwy_b_certificate-creation-use-deployment-guide_chapter_0100.html</a></p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">High Level Steps:</p>
<ol style="margin-top:0in;margin-bottom:0in" start="1" type="1">
<li class="gmail-MsoListParagraph" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Expressway 12.5.7 to
avoid ACMEv1 vs ACMEv2 registration issues (<a href="https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr82346" style="color:rgb(5,99,193)">https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr82346</a>)</li>
<li class="gmail-MsoListParagraph" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">For your Unified CM
registrations domains don’t use parent domain only (E.g., <a href="http://company.com">company.com</a>),
switch to CollabEdgeDNS format instead (E.g., <a href="http://collab-edge.company.com">collab-edge.company.com</a>),
because you’ll need that in the next step</li>
<li class="gmail-MsoListParagraph" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">DNS A records for the
Expressway-E FQDN and the CM registration domains</li>
<li class="gmail-MsoListParagraph" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Upload the root and
intermediates for Let’s Encrypt (needed on both Expressway-E and Expressway-C)
(certs are linked in documentation)</li>
<li class="gmail-MsoListParagraph" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Enable the ACME client
on Expressway-E and supply any email address you want to link to this
registration (This creates your account with Let’s Encrypt)</li>
<li class="gmail-MsoListParagraph" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Generate a new CSR
(Server Certificate Only, Domain Cert Was Not Needed)</li>
<li class="gmail-MsoListParagraph" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Click button to Submit
CSR to ACME</li>
<li class="gmail-MsoListParagraph" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Click button to Deploy
New Certificate on Expressway-E (documentation states this is non-service
impacting)</li>
<li class="gmail-MsoListParagraph" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Setup the automatic
scheduler so you never have to deal with this again</li>
<li class="gmail-MsoListParagraph" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Sit back, relax and
enjoy free shit</li>
</ol><div><font face="Calibri, sans-serif"><span style="font-size:14.6667px"><br></span></font></div></div><div><font face="Calibri, sans-serif"><span style="font-size:14.6667px"><br></span></font></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Apr 17, 2020 at 1:43 PM Riley, Sean <<a href="mailto:SRiley@robinsonbradshaw.com">SRiley@robinsonbradshaw.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div lang="EN-US">
<div class="gmail-m_-7082626340991163242WordSection1">
<p class="MsoNormal"><span style="font-size:10pt;font-family:Arial,sans-serif">We had our Cisco partner setup our Expressways a couple of years ago. It is a cluster with 2 E’s and 2 C’s currently at v 12.5.7 using for MRA. I have been managing them, installing
updates, troubleshooting etc. The public Edge cert is up for renewal. Can anyone provide advice on renewing this cert? I am planning on just renewing with the same cert provider, but was interested in if there is anything to watch out for. Example, will
there be a service interruption when replacing the cert? Or just install the new cert/pk and rest easy?<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Arial,sans-serif"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Arial,sans-serif">Thanks in advance.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Arial,sans-serif"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Arial,sans-serif">Sean.<u></u><u></u></span></p>
</div>
</div>
_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" rel="noreferrer" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>
</blockquote></div>
<span>_______________________________________________</span><br><span>cisco-voip mailing list</span><br><span>cisco-voip@puck.nether.net</span><br><span>https://puck.nether.net/mailman/listinfo/cisco-voip</span><br></div></blockquote></div></body></html>