Mailing List Archive

I think CSR 14 is supposed to deal with simplicity of certificate operations

Get Outlook for iOS<https://aka.ms/o0ukef>

Matthew Loraditch
Sr. Network Engineer
p: 443.541.1518
w: www.heliontechnologies.com | e: MLoraditch@heliontechnologies.com
________________________________
From: cisco-voip <cisco-voip-bounces@puck.nether.net> on behalf of Hunter Fuller <hf0002@uah.edu>
Sent: Wednesday, March 4, 2020 1:55:50 PM
To: Lelio Fulgenzi <lelio@uoguelph.ca>
Cc: Norton, Mike <mikenorton@pwsd76.ab.ca>; voyp list, cisco-voip (cisco-voip@puck.nether.net) <cisco-voip@puck.nether.net>
Subject: Re: [cisco-voip] [External] Re: certificate renewals - 1 year only - due to Apple changes


[EXTERNAL]


Is it possible to install a cert via API? If that works, we can do this from an admin machine, whether or not the Cisco service (for instance CUCM) supports it.

--
Hunter Fuller
Router Jockey
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering


On Wed, Mar 4, 2020 at 12:46 PM Lelio Fulgenzi <lelio@uoguelph.ca<mailto:lelio@uoguelph.ca>> wrote:

Unfortunately, I can’t justify a telephone system upgrade for the sake of auto-renewal of certificates. ?



CUCM v11.5 has yet to be announced EOL. (Please Please Please don’t happen tomorrow).



This means we’ve got at least 5 more years to plan accordingly.



Will they issue an SU to support let’s encrypt? Let’s hope so!





From: Norton, Mike <mikenorton@pwsd76.ab.ca<mailto:mikenorton@pwsd76.ab.ca>>
Sent: Wednesday, March 4, 2020 1:38 PM
To: Lelio Fulgenzi <lelio@uoguelph.ca<mailto:lelio@uoguelph.ca>>; voyp list, cisco-voip (cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>) <cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>>
Subject: RE: certificate renewals - 1 year only - due to Apple changes



If two years from now, a product that needs public certificates still doesn’t support automated renewals, then it’s a terrible product you should have migrated away from two years earlier. The writing has been on the wall for a long time. But even for developers who’ve had their heads in sand, two years is still plenty of time for them to get a clue. ;-)

-mn



From: cisco-voip <cisco-voip-bounces@puck.nether.net<mailto:cisco-voip-bounces@puck.nether.net>> On Behalf Of Lelio Fulgenzi
Sent: March 4, 2020 10:52 AM
To: voyp list, cisco-voip (cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>) <cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>>
Subject: [cisco-voip] certificate renewals - 1 year only - due to Apple changes





So, we’ve gotten word that Apple is thinking of “accepting/trusting” only certs that are 13 months old or less.



https://www.theregister.co.uk/2020/02/20/apple_shorter_cert_lifetime/



This is a bit of a drag on Jabber deployments due to so many certs being needed.



From what I’ve seen, only Expressway supports auto-renew like let’s encrypt.



From the article, it seems:



"Certificates issued prior to September 1 will have the same acceptable duration as certificates do today, which is 825 days. No action is required for these certificates."



I’m guessing it if says Safari, it’s any cert used by an apple device, since the safari engine is used throughout, right?



We’re planning on renewing soon, so we should be good to go with 2 years.



But the future?



What are others planning on doing?



_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip

Good point, I have been doing that lately to use Let’s Encrypt for some (non-Cisco) appliances via their management APIs.

As the big commercial CAs start to get more into automated deployment, I imagine the ones that already offer installation utilities will start to include integrations for various popular external boxes into their utilities. They will have to start doing more value-add type of stuff like that if they want to remain of value in the face of free alternatives.

-mn

From: Hunter Fuller <hf0002@uah.edu>
Sent: March 4, 2020 11:56 AM
To: Lelio Fulgenzi <lelio@uoguelph.ca>
Cc: Norton, Mike <mikenorton@pwsd76.ab.ca>; voyp list, cisco-voip (cisco-voip@puck.nether.net) <cisco-voip@puck.nether.net>
Subject: Re: [External] Re: [cisco-voip] certificate renewals - 1 year only - due to Apple changes

Is it possible to install a cert via API? If that works, we can do this from an admin machine, whether or not the Cisco service (for instance CUCM) supports it.

--
Hunter Fuller
Router Jockey
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering


On Wed, Mar 4, 2020 at 12:46 PM Lelio Fulgenzi <lelio@uoguelph.ca<mailto:lelio@uoguelph.ca>> wrote:
Unfortunately, I can’t justify a telephone system upgrade for the sake of auto-renewal of certificates. ?

CUCM v11.5 has yet to be announced EOL. (Please Please Please don’t happen tomorrow).

This means we’ve got at least 5 more years to plan accordingly.

Will they issue an SU to support let’s encrypt? Let’s hope so!


From: Norton, Mike <mikenorton@pwsd76.ab.ca<mailto:mikenorton@pwsd76.ab.ca>>
Sent: Wednesday, March 4, 2020 1:38 PM
To: Lelio Fulgenzi <lelio@uoguelph.ca<mailto:lelio@uoguelph.ca>>; voyp list, cisco-voip (cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>) <cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>>
Subject: RE: certificate renewals - 1 year only - due to Apple changes

If two years from now, a product that needs public certificates still doesn’t support automated renewals, then it’s a terrible product you should have migrated away from two years earlier. The writing has been on the wall for a long time. But even for developers who’ve had their heads in sand, two years is still plenty of time for them to get a clue. ;-)

-mn

From: cisco-voip <cisco-voip-bounces@puck.nether.net<mailto:cisco-voip-bounces@puck.nether.net>> On Behalf Of Lelio Fulgenzi
Sent: March 4, 2020 10:52 AM
To: voyp list, cisco-voip (cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>) <cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>>
Subject: [cisco-voip] certificate renewals - 1 year only - due to Apple changes


So, we’ve gotten word that Apple is thinking of “accepting/trusting” only certs that are 13 months old or less.

https://www.theregister.co.uk/2020/02/20/apple_shorter_cert_lifetime/

This is a bit of a drag on Jabber deployments due to so many certs being needed.

From what I’ve seen, only Expressway supports auto-renew like let’s encrypt.

From the article, it seems:

"Certificates issued prior to September 1 will have the same acceptable duration as certificates do today, which is 825 days. No action is required for these certificates."

I’m guessing it if says Safari, it’s any cert used by an apple device, since the safari engine is used throughout, right?

We’re planning on renewing soon, so we should be good to go with 2 years.

But the future?

What are others planning on doing?

_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip

Not that I have seen, but you could just pre-API the shit out of it with
Python + Paramiko because the CLI has all the cert functions built-in.

On Wed, Mar 4, 2020 at 12:58 PM Hunter Fuller <hf0002@uah.edu> wrote:

> Is it possible to install a cert via API? If that works, we can do this
> from an admin machine, whether or not the Cisco service (for instance CUCM)
> supports it.
>
> --
> Hunter Fuller
> Router Jockey
> VBH Annex B-5
> +1 256 824 5331
>
> Office of Information Technology
> The University of Alabama in Huntsville
> Network Engineering
>
>
> On Wed, Mar 4, 2020 at 12:46 PM Lelio Fulgenzi <lelio@uoguelph.ca> wrote:
>
>> Unfortunately, I can’t justify a telephone system upgrade for the sake of
>> auto-renewal of certificates. ?
>>
>>
>>
>> CUCM v11.5 has yet to be announced EOL. (Please Please Please don’t
>> happen tomorrow).
>>
>>
>>
>> This means we’ve got at least 5 more years to plan accordingly.
>>
>>
>>
>> Will they issue an SU to support let’s encrypt? Let’s hope so!
>>
>>
>>
>>
>>
>> *From:* Norton, Mike <mikenorton@pwsd76.ab.ca>
>> *Sent:* Wednesday, March 4, 2020 1:38 PM
>> *To:* Lelio Fulgenzi <lelio@uoguelph.ca>; voyp list, cisco-voip (
>> cisco-voip@puck.nether.net) <cisco-voip@puck.nether.net>
>> *Subject:* RE: certificate renewals - 1 year only - due to Apple changes
>>
>>
>>
>> If two years from now, a product that needs public certificates still
>> doesn’t support automated renewals, then it’s a terrible product you should
>> have migrated away from two years earlier. The writing has been on the wall
>> for a long time. But even for developers who’ve had their heads in sand,
>> two years is still plenty of time for them to get a clue. ;-)
>>
>> -mn
>>
>>
>>
>> *From:* cisco-voip <cisco-voip-bounces@puck.nether.net> *On Behalf Of *Lelio
>> Fulgenzi
>> *Sent:* March 4, 2020 10:52 AM
>> *To:* voyp list, cisco-voip (cisco-voip@puck.nether.net) <
>> cisco-voip@puck.nether.net>
>> *Subject:* [cisco-voip] certificate renewals - 1 year only - due to
>> Apple changes
>>
>>
>>
>>
>>
>> So, we’ve gotten word that Apple is thinking of “accepting/trusting” only
>> certs that are 13 months old or less.
>>
>>
>>
>> https://www.theregister.co.uk/2020/02/20/apple_shorter_cert_lifetime/
>>
>>
>>
>> This is a bit of a drag on Jabber deployments due to so many certs being
>> needed.
>>
>>
>>
>> From what I’ve seen, only Expressway supports auto-renew like let’s
>> encrypt.
>>
>>
>>
>> From the article, it seems:
>>
>>
>>
>> "Certificates issued prior to September 1 will have the same acceptable
>> duration as certificates do today, which is 825 days. No action is required
>> for these certificates."
>>
>>
>>
>> I’m guessing it if says Safari, it’s any cert used by an apple device,
>> since the safari engine is used throughout, right?
>>
>>
>>
>> We’re planning on renewing soon, so we should be good to go with 2 years.
>>
>>
>>
>> But the future?
>>
>>
>>
>> What are others planning on doing?
>>
>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>