Cisco Cisco Expressway
Communications Manager and by default they are self-signed and have the same common name (CN).
We recommend using externally-signed certificates for best end-to-end security between external endpoints and internal
endpoints. However, if you do use self-signed certificates, the two certificates must have different common names. This is
because the Expressway does not allow two self-signed certificates with the same CN. If the
endpoints. However, if you do use self-signed certificates, the two certificates must have different common names. This is
because the Expressway does not allow two self-signed certificates with the same CN. If the
CallManager and tomcat
self-signed certs have the same CN in the Expressway's trusted CA list, then it can only trust one of them. This means
that either secure HTTP or secure SIP, between Expressway-C and Cisco Unified Communications Manager, will fail.
that either secure HTTP or secure SIP, between Expressway-C and Cisco Unified Communications Manager, will fail.
Also, when generating
tomcat certificate signing requests for any products within the Cisco Collaboration Systems
. You need to work around this issue to ensure that the FQDNs of
the nodes are in the certificates as Subject Alternative Names. The
Expressway X8.5.2 Release Notes have the details of
the workarounds.
Expressway Certificates
The Expressway certificate signing request (CSR) tool prompts for and incorporates the relevant subject alternate name
(SAN) entries as appropriate for the Unified Communications features that are supported on that Expressway.
(SAN) entries as appropriate for the Unified Communications features that are supported on that Expressway.
The following table shows which CSR alternative name elements apply to which Unified Communications features:
CSR SAN element
Mobile and remote access
Jabber Guest
XMPP federation
Unified CM registrations domains
ü
(Expressway-E only)
X
X
XMPP federation domains
X
X
ü
(Expressway-E only)
IM and Presence chat node aliases
(federated group chat)
(federated group chat)
X
X
ü
Unified CM phone security profile names
ü
(Expressway-C only)
X
X
Note:
■
A new Expressway-C certificate may need to be produced for the Expressway-C if chat node aliases are added
or renamed, such as when an IM and Presence node is added or renamed, or if new TLS phone security profiles
are added.
or renamed, such as when an IM and Presence node is added or renamed, or if new TLS phone security profiles
are added.
■
A new Expressway-E certificate must be produced if new chat node aliases are added to the system, or if the
Unified CM or XMPP federation domains are modified.
Unified CM or XMPP federation domains are modified.
■
You must restart the Expressway for any new uploaded server certificate to take effect.
More details about the individual feature requirements per Expressway-C / Expressway-E are described below.
Expressway-C server certificate requirements
The Expressway-C server certificate needs to include the following elements in its list of subject alternate names:
■
Unified CM phone security profile names: the names of the Phone Security Profiles in Unified CM that are
configured for encrypted TLS and are used for devices requiring remote access. Use the FQDN format and
separate multiple entries with commas.
configured for encrypted TLS and are used for devices requiring remote access. Use the FQDN format and
separate multiple entries with commas.
Having the secure phone profiles as alternative names means that Unified CM can communicate via TLS with the
Expressway-C when it is forwarding messages from devices that use those profiles.
Expressway-C when it is forwarding messages from devices that use those profiles.
6
Cisco Expressway Certificate Creation and Use Deployment Guide