Cisco Cisco Expressway Maintenance Manual
We recommend that you select the DNS format and manually specify the required FQDNs, separated by
commas if you need multiple domains. The XMPPAddress format may not be supported by your chosen
CA.
commas if you need multiple domains. The XMPPAddress format may not be supported by your chosen
CA.
n
IM and Presence chat node aliases (federated group chat): the same set of Chat Node Aliases as
entered on the Expressway-C's certificate. They are only required for voice and presence deployments
which will support group chat over TLS with federated contacts.
We recommend that you select the DNS format and manually specify the required FQDNs, separated by
commas if you need multiple domains. The XMPPAddress format may not be supported by your chosen
CA.
Note that the list of required aliases can be viewed (and copy-pasted) from the equivalent
entered on the Expressway-C's certificate. They are only required for voice and presence deployments
which will support group chat over TLS with federated contacts.
We recommend that you select the DNS format and manually specify the required FQDNs, separated by
commas if you need multiple domains. The XMPPAddress format may not be supported by your chosen
CA.
Note that the list of required aliases can be viewed (and copy-pasted) from the equivalent
Generate CSR
page on the Expressway-C.
Figure 8: Entering subject alternative names for Unified CM registration domains, XMPP federation domains,
and chat node aliases, on the Expressway-E's CSR generator
and chat node aliases, on the Expressway-E's CSR generator
Managing certificate revocation lists (CRLs)
Certificate revocation list (CRL) files are used by the Expressway to validate certificates presented by client
browsers and external systems that communicate with the Expressway over TLS/HTTPS. A CRL identifies
those certificates that have been revoked and can no longer be used to communicate with the Expressway.
browsers and external systems that communicate with the Expressway over TLS/HTTPS. A CRL identifies
those certificates that have been revoked and can no longer be used to communicate with the Expressway.
We recommend that you upload CRL data for the CAs that sign TLS/HTTPS client and server certificates.
When enabled, CRL checking is applied for every CA in the chain of trust.
When enabled, CRL checking is applied for every CA in the chain of trust.
CRL sources
The Expressway can obtain CRL information from multiple sources:
n
automatic downloads of CRL data from CRL distribution points
n
through OCSP (Online Certificate Status Protocol) responder URIs in the certificate to be checked (SIP
TLS only)
TLS only)
n
manual upload of CRL data
n
CRL data embedded within the Expressway's
Trusted CA certificate
file
The following limitations and usage guidelines apply:
Cisco Expressway Administrator Guide (X8.2)
Page 211 of 378
Maintenance
About security certificates