Cisco Cisco Expressway
2. Install on both Expressways the trusted Certificate Authority (CA) certificates of the authority that signed
the Expressway's server certificates, and, if appropriate, the authority that signed the endpoints'
certificates. The Expressway-C must also trust the Unified CM and IM&P tomcat certificate.
To upload trusted Certificate Authority (CA) certificates to the Expressway, go to
certificates. The Expressway-C must also trust the Unified CM and IM&P tomcat certificate.
To upload trusted Certificate Authority (CA) certificates to the Expressway, go to
Maintenance >
Security certificates > Trusted CA certificate
. You must restart the Expressway for the new trusted
CA certificate to take effect.
Expressway-C server certificate requirements
The Expressway-C server certificate needs to include the following elements in its list of subject alternate
names:
names:
n
The Chat Node Aliases that are configured on the IM and Presence servers. These are required only for
Unified Communications XMPP federation deployments that intend to use both TLS and group chat. (Note
that Unified Communications XMPP federation will be supported in a future Expressway release).
The Expressway-C automatically includes the chat node aliases in the CSR, providing it has discovered a
set of IM&P servers.
Unified Communications XMPP federation deployments that intend to use both TLS and group chat. (Note
that Unified Communications XMPP federation will be supported in a future Expressway release).
The Expressway-C automatically includes the chat node aliases in the CSR, providing it has discovered a
set of IM&P servers.
n
The names, in FQDN format, of all of the Phone Security Profiles in Unified CM that are configured for
encrypted TLS and are used for devices requiring remote access. This ensures that Unified CM can
communicate with Expressway-C via a TLS connection when it is forwarding messages from devices that
are configured with those security profiles.
encrypted TLS and are used for devices requiring remote access. This ensures that Unified CM can
communicate with Expressway-C via a TLS connection when it is forwarding messages from devices that
are configured with those security profiles.
A new certificate may need to be produced if chat node aliases are added or renamed, such as when an IM
and Presence node is added or renamed, or if new TLS phone security profiles are added. You must restart
the Expressway-C for any new uploaded server certificate to take effect.
and Presence node is added or renamed, or if new TLS phone security profiles are added. You must restart
the Expressway-C for any new uploaded server certificate to take effect.
Expressway-E server certificate requirements
The Expressway-E server certificate needs to include the following elements in its list of subject alternate
names:
names:
n
All of the domains which have been configured for Unified Communications. They are required for secure
communications between endpoint devices and Expressway-E.
This should include the email address domain entered by users of the client application (e.g. Jabber) and
any presence domains (as configured on the Expressway-C) if they are different. There is no need to
include the domains in DNS-SEC deployments.
communications between endpoint devices and Expressway-E.
This should include the email address domain entered by users of the client application (e.g. Jabber) and
any presence domains (as configured on the Expressway-C) if they are different. There is no need to
include the domains in DNS-SEC deployments.
n
The same set of Chat Node Aliases as entered on the Expressway-C's certificate, if you are deploying
federated XMPP.
Note that the list of required aliases can be viewed (and copy-pasted) from the equivalent
federated XMPP.
Note that the list of required aliases can be viewed (and copy-pasted) from the equivalent
Generate CSR
page on the Expressway-C.
A new certificate must be produced if new presence domains or chat node aliases are added to the system.
You must restart the Expressway-E for any new uploaded server certificate to take effect.
You must restart the Expressway-E for any new uploaded server certificate to take effect.
create and upload the Expressway’s server certificate and how to upload a list of trusted certificate
authorities.
authorities.
Unified Communications: Mobile and Remote Access via Cisco Expressway Deployment Guide (X8.1.1)
Page 19 of 36
Configuring mobile and remote access on Expressway