Cisco Cisco Expressway
Server Certificate Requirements for Unified Communications
The Cisco Expressway Certificate Signing Request (CSR) tool prompts for and incorporates the relevant
subject alternate name (SAN) entries as appropriate for the Unified Communications features that are
supported on that Cisco Expressway.
subject alternate name (SAN) entries as appropriate for the Unified Communications features that are
supported on that Cisco Expressway.
The following table shows which CSR alternative name elements apply to which Unified Communications
features:
features:
CSR SAN element
Mobile and remote access
Jabber Guest
XMPP federation
Unified CM registrations domains
√
(Expressway-E only)
X
X
XMPP federation domains
X
X
√
(Expressway-E only)
IM and Presence Service chat node aliases
(federated group chat)
(federated group chat)
X
X
√
Unified CM phone security profile names
√
(Expressway-C only)
X
X
Note:
n
You might need to upload a new Cisco Expressway-C certificate for the Cisco Expressway-C if chat node
aliases are added or renamed. For example, when an IM and Presence Service node is added or renamed,
or if new TLS phone security profiles are added.
aliases are added or renamed. For example, when an IM and Presence Service node is added or renamed,
or if new TLS phone security profiles are added.
n
You will need to upload a new Cisco Expressway-E certificate if new chat node aliases are added to the
system, or if the Unified CM, or XMPP federation domains, are modified.
system, or if the Unified CM, or XMPP federation domains, are modified.
n
You must restart the Cisco Expressway for any new uploaded server certificate to take effect.
More details about the individual feature requirements per Cisco Expressway-C / Cisco Expressway-E are
described below.
described below.
Cisco Expressway-C Server Certificate Requirements
The Cisco Expressway-C server certificate needs to include the following elements in its list of subject
alternate names:
alternate names:
n
Unified Communications Manager phone security profile names: The names, in FQDN format, of all
of the Phone Security Profiles in Unified CM that are configured for encrypted TLS and are used for
devices requiring remote access. This ensures that Unified CM can communicate with Cisco
Expressway-C via a TLS connection when it is forwarding messages from devices that are configured
with those security profiles.
of the Phone Security Profiles in Unified CM that are configured for encrypted TLS and are used for
devices requiring remote access. This ensures that Unified CM can communicate with Cisco
Expressway-C via a TLS connection when it is forwarding messages from devices that are configured
with those security profiles.
Note: The above setting only applies if using Mobile and Remote Access (MRA) for voice and video calls.
For more information, see the Mobile and Remote Access via Cisco Expressway Deployment Guide
available at
For more information, see the Mobile and Remote Access via Cisco Expressway Deployment Guide
available at
Cisco Unified Communications XMPP Federation Deployment Guide (1.4)
Page 7 of 59