Cisco Cisco Expressway Maintenance Manual
■
IM and Presence chat node aliases (federated group chat): the same set of Chat Node Aliases as entered
on the Expressway-C's certificate. They are only required for voice and presence deployments which will
support group chat over TLS with federated contacts.
on the Expressway-C's certificate. They are only required for voice and presence deployments which will
support group chat over TLS with federated contacts.
Select the DNS format and manually specify the required FQDNs. Separate the FQDNs by commas if you need
multiple domains. Do not use the XMPPAddress format as it may not be supported by your CA, and may be
discontinued in future versions of the Expressway software.
multiple domains. Do not use the XMPPAddress format as it may not be supported by your CA, and may be
discontinued in future versions of the Expressway software.
Note that you can copy the list of chat node aliases from the equivalent Generate CSR page on the
Expressway-C.
Expressway-C.
Figure 12 Entering subject alternative names for Unified CM registration domains, XMPP federation
domains, and chat node aliases, on the Expressway-E's CSR generator
domains, and chat node aliases, on the Expressway-E's CSR generator
Managing Certificate Revocation Lists (CRLs)
Certificate revocation list (CRL) files are used by the Expressway to validate certificates presented by client browsers
and external systems that communicate with the Expressway over TLS/HTTPS. A CRL identifies those certificates
that have been revoked and can no longer be used to communicate with the Expressway.
and external systems that communicate with the Expressway over TLS/HTTPS. A CRL identifies those certificates
that have been revoked and can no longer be used to communicate with the Expressway.
We recommend that you upload CRL data for the CAs that sign TLS/HTTPS client and server certificates. When
enabled, CRL checking is applied for every CA in the chain of trust.
enabled, CRL checking is applied for every CA in the chain of trust.
Certificate Revocation Sources
The Expressway can obtain certificate revocation information from multiple sources:
■
automatic downloads of CRL data from CRL distribution points
■
through OCSP (Online Certificate Status Protocol) responder URIs in the certificate to be checked (SIP TLS
only)
only)
■
manual upload of CRL data
■
CRL data embedded within the Expressway's Trusted CA certificate file
The following limitations and usage guidelines apply:
■
when establishing SIP TLS connections, the CRL data sources are subject to the Certificate revocation
checking settings on the SIP configuration page
checking settings on the SIP configuration page
■
automatically downloaded CRL files override any manually loaded CRL files (except for when verifying SIP TLS
connections, when both manually uploaded or automatically downloaded CRL data may be used)
connections, when both manually uploaded or automatically downloaded CRL data may be used)
■
when validating certificates presented by external policy servers, the Expressway uses manually loaded CRLs
only
only
■
when validating TLS connections with an LDAP server for remote login account authentication, the
Expressway uses CRL data within the Trusted CA certificate only
Expressway uses CRL data within the Trusted CA certificate only
193
Cisco Expressway Administrator Guide