<div dir="ltr">This might be an unpopular opinion, but I think using the free certs provided by let's encrypt, coupled with it being automatic from now on, it's just an unbeatable combination.<div><br></div><div>Here are my cliff notes:</div><div><br></div><div><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Reference Document:</p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><a href="https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/expressway/config_guide/X12-5/exwy_b_certificate-creation-use-deployment-guide/exwy_b_certificate-creation-use-deployment-guide_chapter_0100.html" style="color:rgb(5,99,193)">https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/expressway/config_guide/X12-5/exwy_b_certificate-creation-use-deployment-guide/exwy_b_certificate-creation-use-deployment-guide_chapter_0100.html</a></p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">High Level Steps:</p>
<ol style="margin-top:0in;margin-bottom:0in" start="1" type="1">
<li class="gmail-MsoListParagraph" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Expressway 12.5.7 to
avoid ACMEv1 vs ACMEv2 registration issues (<a href="https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr82346" style="color:rgb(5,99,193)">https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr82346</a>)</li>
<li class="gmail-MsoListParagraph" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">For your Unified CM
registrations domains don’t use parent domain only (E.g., <a href="http://company.com">company.com</a>),
switch to CollabEdgeDNS format instead (E.g., <a href="http://collab-edge.company.com">collab-edge.company.com</a>),
because you’ll need that in the next step</li>
<li class="gmail-MsoListParagraph" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">DNS A records for the
Expressway-E FQDN and the CM registration domains</li>
<li class="gmail-MsoListParagraph" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Upload the root and
intermediates for Let’s Encrypt (needed on both Expressway-E and Expressway-C)
(certs are linked in documentation)</li>
<li class="gmail-MsoListParagraph" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Enable the ACME client
on Expressway-E and supply any email address you want to link to this
registration (This creates your account with Let’s Encrypt)</li>
<li class="gmail-MsoListParagraph" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Generate a new CSR
(Server Certificate Only, Domain Cert Was Not Needed)</li>
<li class="gmail-MsoListParagraph" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Click button to Submit
CSR to ACME</li>
<li class="gmail-MsoListParagraph" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Click button to Deploy
New Certificate on Expressway-E (documentation states this is non-service
impacting)</li>
<li class="gmail-MsoListParagraph" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Setup the automatic
scheduler so you never have to deal with this again</li>
<li class="gmail-MsoListParagraph" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Sit back, relax and
enjoy free shit</li>
</ol><div><font face="Calibri, sans-serif"><span style="font-size:14.6667px"><br></span></font></div></div><div><font face="Calibri, sans-serif"><span style="font-size:14.6667px"><br></span></font></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Apr 17, 2020 at 1:43 PM Riley, Sean <<a href="mailto:SRiley@robinsonbradshaw.com">SRiley@robinsonbradshaw.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div lang="EN-US">
<div class="gmail-m_-7082626340991163242WordSection1">
<p class="MsoNormal"><span style="font-size:10pt;font-family:Arial,sans-serif">We had our Cisco partner setup our Expressways a couple of years ago. It is a cluster with 2 E’s and 2 C’s currently at v 12.5.7 using for MRA. I have been managing them, installing
updates, troubleshooting etc. The public Edge cert is up for renewal. Can anyone provide advice on renewing this cert? I am planning on just renewing with the same cert provider, but was interested in if there is anything to watch out for. Example, will
there be a service interruption when replacing the cert? Or just install the new cert/pk and rest easy?<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Arial,sans-serif"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Arial,sans-serif">Thanks in advance.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Arial,sans-serif"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Arial,sans-serif">Sean.<u></u><u></u></span></p>
</div>
</div>
_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" rel="noreferrer" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>
</blockquote></div>