Mailing List Archive

We use Entrust. But I think we had some sort of "Contract" that allowed for a specific number of certs to be issued, all on the credit system. Regardless of SANs.

But, you're right. Cisco collab is an expensive solution to provide certs for.

I'm really hoping that https://www.incommon.org/certificates/subscribe/ opens up to EDUs outside of the U.S. some time (soon).

-----Original Message-----
From: cisco-voip <cisco-voip-bounces@puck.nether.net> On Behalf Of James Andrewartha
Sent: Friday, February 18, 2022 4:28 AM
To: cisco-voip@puck.nether.net
Subject: Re: [cisco-voip] [EXTERNAL] Re: Cost-Effective Public Certificate Authority for CUCM certificates

CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to IThelp@uoguelph.ca


Digicert have killed the fact you could issue a cert for host.sub.example.com on your *.example.com wildcard, instead they want to charge you extra for those hosts so now I'm shopping around. The good news is there's now other places that will do wildcards with unlimited reissues (which most call "unlimited server licenses").

I tried Comodo/Sectigo Positive Multi Domain Wildcard SSL which can even have multiple wildcards on the one certificate, but it only accepts CSRs for *.example.com, which UCM/UC/IM&P won't generate. But perhaps that's a limitation of the reseller I used. They also have the Comodo/Sectigo Multi Domain SSL Certificate (FLEX) which lets you have host SANs, but will charge you for each one.

Anyone had success with any other CAs recently?

--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

On 31/3/20 04:49, Brian Meade wrote:
> In this case, we're doing public certificates internally as well for
> CUCM Tomcat, Unity Connection Tomcat, UCCX Tomcat, and IM&P CUP-XMPP.
>
> Adding the multiple presence domains is pretty easy on the IM&P side
> and it will automatically add SAN's for those domains in the CSR.
>
> Expressway-E will also automatically add all domains to the CSR.
>
> On Mon, Mar 30, 2020 at 4:07 PM Jonatan Quezada
> <jonatan.quezada@chemeketa.edu <mailto:jonatan.quezada@chemeketa.edu>>
> wrote:
>
> Brian, How challenging was it to do the jabber on all three domains?
>
> Where do you need the multiDomain cert, on the VCS-edge connector
> right? Im looking to see what it would take to get this going for
> our remote workers even though it seems
> like there are few things to make sure are in place first.
>
> for so far its the :
>
> certs for dual domain- how
> provision jabber users
>
>
> On Mon, Mar 30, 2020 at 12:28 PM Brian Meade <bmeade90@vt.edu
> <mailto:bmeade90@vt.edu>> wrote:
>
> I was originally going to go with that wildcard option but this
> customer has 3 different presence domains to match their email
> domains which makes the CUP-XMPP cert more complicated.
>
> This is my personal email so no access to InCommon certificates
> unfortunately.
>
> On Mon, Mar 30, 2020 at 2:59 PM Matthew Ballard
> <mballard@otis.edu <mailto:mballard@otis.edu>> wrote:
>
> We used to use DigiCert Wildcard which offers that (where
> you can issue multiple certificates with different private
> keys from the same wildcard cert/purchase).____
>
> __ __
>
> We switched to using InCommon certificates, which it looks
> like your University also subscribes to.  You should be able
> to get them internally from whomever licensed that there, as
> it’s a flat fee service for unlimited certificates.____
>
> __ __
>
> Matthew Ballard____
>
> Director of Technology Infrastructure____
>
> Information Systems____
>
> Otis College of Art and Design____
>
> mballard@otis.edu <mailto:mballard@otis.edu>____
>
> __ __
>
> __ __
>
> __ __
>
> *From:*cisco-voip <cisco-voip-bounces@puck.nether.net
> <mailto:cisco-voip-bounces@puck.nether.net>> *On Behalf Of
> *Brian Meade
> *Sent:* Monday, March 30, 2020 11:42 AM
> *To:* cisco-voip voyp list <cisco-voip@puck.nether.net
> <mailto:cisco-voip@puck.nether.net>>
> *Subject:* [cisco-voip] Cost-Effective Public Certificate
> Authority for CUCM certificates____
>
> __ __
>
> Does anyone know of any public certificate authorities that
> have cheaper multi-server SAN certificate options?  I had
> seen some in the past that let you buy a wildcard and then
> can submit CSR's against that still but having trouble
> finding that now.____
>
> __ __
>
> Trying to avoid buying 4 multi-server certificates to cover
> CUCM Tomcat/Unity Connection Tomcat/UCCX Tomcat/IM&P
> XMPP.____
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net <mailto:cisco-voip@puck.nether.net>
> https://puck.nether.net/mailman/listinfo/cisco-voip
> <https://puck.nether.net/mailman/listinfo/cisco-voip>
>
>
>
> --
> During this time of remote work, There will be the need for
> connectivity to other devices such as a cell phone. If you require
> assistance forwarding your desk phone to a remote cell or message
> phone, please email with desk number and where we are forwarding
> calls. I can do these remotely.
>
> Johnny Q
> Voice Technology Analyst II
> Chemeketa Community College
> Johnny.Q@chemeketa.edu <mailto:Johnny.Q@chemeketa.edu>
> Building 22 Room 130
> Work 5033995294
> Cell 5035769873
> FAX 5033995549
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip

_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Unfortunately, Cisco doesn't allow for * certs with the UC platform.  If this is for Jabber MRA, they recently added support for ACME certificates, but I haven't used that.  The cheapest CA signed certs I've been able to find is ssls.com and the full set of certs for a typical cluster is going to set you back about $900 a year.  They have a couple of Collaboration packages that you can use for the multiple domains.  Also, they work well enough, but the support for ssls.com is pretty weak, so plan on at least a week to get your certs ordered, approved, and installed.
On Friday, February 18, 2022, 09:39:50 AM PST, Lelio Fulgenzi <lelio@uoguelph.ca> wrote:

We use Entrust. But I think we had some sort of "Contract" that allowed for a specific number of certs to be issued, all on the credit system. Regardless of SANs.

But, you're right. Cisco collab is an expensive solution to provide certs for.

I'm really hoping that https://www.incommon.org/certificates/subscribe/ opens up to EDUs outside of the U.S. some time (soon).

-----Original Message-----
From: cisco-voip <cisco-voip-bounces@puck.nether.net> On Behalf Of James Andrewartha
Sent: Friday, February 18, 2022 4:28 AM
To: cisco-voip@puck.nether.net
Subject: Re: [cisco-voip] [EXTERNAL] Re: Cost-Effective Public Certificate Authority for CUCM certificates

CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to IThelp@uoguelph.ca


Digicert have killed the fact you could issue a cert for host.sub.example.com on your *.example.com wildcard, instead they want to charge you extra for those hosts so now I'm shopping around. The good news is there's now other places that will do wildcards with unlimited reissues (which most call "unlimited server licenses").

I tried Comodo/Sectigo Positive Multi Domain Wildcard SSL which can even have multiple wildcards on the one certificate, but it only accepts CSRs for *.example.com, which UCM/UC/IM&P won't generate. But perhaps that's a limitation of the reseller I used. They also have the Comodo/Sectigo Multi Domain SSL Certificate (FLEX) which lets you have host SANs, but will charge you for each one.

Anyone had success with any other CAs recently?

--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

On 31/3/20 04:49, Brian Meade wrote:
> In this case, we're doing public certificates internally as well for
> CUCM Tomcat, Unity Connection Tomcat, UCCX Tomcat, and IM&P CUP-XMPP.
>
> Adding the multiple presence domains is pretty easy on the IM&P side
> and it will automatically add SAN's for those domains in the CSR.
>
> Expressway-E will also automatically add all domains to the CSR.
>
> On Mon, Mar 30, 2020 at 4:07 PM Jonatan Quezada
> <jonatan.quezada@chemeketa.edu <mailto:jonatan.quezada@chemeketa.edu>>
> wrote:
>
>    Brian, How challenging was it to do the jabber on all three domains?
>
>    Where do you need the multiDomain cert, on the VCS-edge connector
>    right? Im looking to see what it would take to get this going for
>    our remote workers even though it seems
>    like there are few things to make sure are in place first.
>
>    for so far its the :
>
>    certs for dual domain- how
>    provision jabber users
>
>
>    On Mon, Mar 30, 2020 at 12:28 PM Brian Meade <bmeade90@vt.edu
>    <mailto:bmeade90@vt.edu>> wrote:
>
>        I was originally going to go with that wildcard option but this
>        customer has 3 different presence domains to match their email
>        domains which makes the CUP-XMPP cert more complicated.
>
>        This is my personal email so no access to InCommon certificates
>        unfortunately.
>
>        On Mon, Mar 30, 2020 at 2:59 PM Matthew Ballard
>        <mballard@otis.edu <mailto:mballard@otis.edu>> wrote:
>
>            We used to use DigiCert Wildcard which offers that (where
>            you can issue multiple certificates with different private
>            keys from the same wildcard cert/purchase).____
>
>            __ __
>
>            We switched to using InCommon certificates, which it looks
>            like your University also subscribes to.  You should be able
>            to get them internally from whomever licensed that there, as
>            it’s a flat fee service for unlimited certificates.____
>
>            __ __
>
>            Matthew Ballard____
>
>            Director of Technology Infrastructure____
>
>            Information Systems____
>
>            Otis College of Art and Design____
>
>            mballard@otis.edu <mailto:mballard@otis.edu>____
>
>            __ __
>
>            __ __
>
>            __ __
>
>            *From:*cisco-voip <cisco-voip-bounces@puck.nether.net
>            <mailto:cisco-voip-bounces@puck.nether.net>> *On Behalf Of
>            *Brian Meade
>            *Sent:* Monday, March 30, 2020 11:42 AM
>            *To:* cisco-voip voyp list <cisco-voip@puck.nether.net
>            <mailto:cisco-voip@puck.nether.net>>
>            *Subject:* [cisco-voip] Cost-Effective Public Certificate
>            Authority for CUCM certificates____
>
>            __ __
>
>            Does anyone know of any public certificate authorities that
>            have cheaper multi-server SAN certificate options?  I had
>            seen some in the past that let you buy a wildcard and then
>            can submit CSR's against that still but having trouble
>            finding that now.____
>
>            __ __
>
>            Trying to avoid buying 4 multi-server certificates to cover
>            CUCM Tomcat/Unity Connection Tomcat/UCCX Tomcat/IM&P
> XMPP.____
>
>        _______________________________________________
>        cisco-voip mailing list
>        cisco-voip@puck.nether.net <mailto:cisco-voip@puck.nether.net>
>        https://puck.nether.net/mailman/listinfo/cisco-voip
>        <https://puck.nether.net/mailman/listinfo/cisco-voip>
>
>
>
>    --
>    During this time of remote work, There will be the need for
>    connectivity to other devices such as a cell phone. If you require
>    assistance forwarding your desk phone to a remote cell or message
>    phone, please email with desk number and where we are forwarding
>    calls. I can do these remotely.
>
>    Johnny Q
>    Voice Technology Analyst II
>    Chemeketa Community College
>    Johnny.Q@chemeketa.edu <mailto:Johnny.Q@chemeketa.edu>
>    Building 22 Room 130
>    Work 5033995294
>    Cell 5035769873
>    FAX 5033995549
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip

_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

I’ve been thinking about going via ACME for expressway. But I think we will try one more time using CCUC tools, which are supposed to be pretty good.

Sent from my iPhone

On Feb 18, 2022, at 1:11 PM, Nick Russo <russon81@yahoo.com> wrote:

?

CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to IThelp@uoguelph.ca


Unfortunately, Cisco doesn't allow for * certs with the UC platform. If this is for Jabber MRA, they recently added support for ACME certificates, but I haven't used that. The cheapest CA signed certs I've been able to find is ssls.com and the full set of certs for a typical cluster is going to set you back about $900 a year. They have a couple of Collaboration packages that you can use for the multiple domains. Also, they work well enough, but the support for ssls.com is pretty weak, so plan on at least a week to get your certs ordered, approved, and installed.

On Friday, February 18, 2022, 09:39:50 AM PST, Lelio Fulgenzi <lelio@uoguelph.ca> wrote:


We use Entrust. But I think we had some sort of "Contract" that allowed for a specific number of certs to be issued, all on the credit system. Regardless of SANs.

But, you're right. Cisco collab is an expensive solution to provide certs for.

I'm really hoping that https://www.incommon.org/certificates/subscribe/ opens up to EDUs outside of the U.S. some time (soon).

-----Original Message-----
From: cisco-voip <cisco-voip-bounces@puck.nether.net<mailto:cisco-voip-bounces@puck.nether.net>> On Behalf Of James Andrewartha
Sent: Friday, February 18, 2022 4:28 AM
To: cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>
Subject: Re: [cisco-voip] [EXTERNAL] Re: Cost-Effective Public Certificate Authority for CUCM certificates

CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to IThelp@uoguelph.ca<mailto:IThelp@uoguelph.ca>


Digicert have killed the fact you could issue a cert for host.sub.example.com on your *.example.com wildcard, instead they want to charge you extra for those hosts so now I'm shopping around. The good news is there's now other places that will do wildcards with unlimited reissues (which most call "unlimited server licenses").

I tried Comodo/Sectigo Positive Multi Domain Wildcard SSL which can even have multiple wildcards on the one certificate, but it only accepts CSRs for *.example.com, which UCM/UC/IM&P won't generate. But perhaps that's a limitation of the reseller I used. They also have the Comodo/Sectigo Multi Domain SSL Certificate (FLEX) which lets you have host SANs, but will charge you for each one.

Anyone had success with any other CAs recently?

--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

On 31/3/20 04:49, Brian Meade wrote:
> In this case, we're doing public certificates internally as well for
> CUCM Tomcat, Unity Connection Tomcat, UCCX Tomcat, and IM&P CUP-XMPP.
>
> Adding the multiple presence domains is pretty easy on the IM&P side
> and it will automatically add SAN's for those domains in the CSR.
>
> Expressway-E will also automatically add all domains to the CSR.
>
> On Mon, Mar 30, 2020 at 4:07 PM Jonatan Quezada
> <jonatan.quezada@chemeketa.edu<mailto:jonatan.quezada@chemeketa.edu> <mailto:jonatan.quezada@chemeketa.edu<mailto:jonatan.quezada@chemeketa.edu>>>
> wrote:
>
> Brian, How challenging was it to do the jabber on all three domains?
>
> Where do you need the multiDomain cert, on the VCS-edge connector
> right? Im looking to see what it would take to get this going for
> our remote workers even though it seems
> like there are few things to make sure are in place first.
>
> for so far its the :
>
> certs for dual domain- how
> provision jabber users
>
>
> On Mon, Mar 30, 2020 at 12:28 PM Brian Meade <bmeade90@vt.edu<mailto:bmeade90@vt.edu>
> <mailto:bmeade90@vt.edu<mailto:bmeade90@vt.edu>>> wrote:
>
> I was originally going to go with that wildcard option but this
> customer has 3 different presence domains to match their email
> domains which makes the CUP-XMPP cert more complicated.
>
> This is my personal email so no access to InCommon certificates
> unfortunately.
>
> On Mon, Mar 30, 2020 at 2:59 PM Matthew Ballard
> <mballard@otis.edu<mailto:mballard@otis.edu> <mailto:mballard@otis.edu<mailto:mballard@otis.edu>>> wrote:
>
> We used to use DigiCert Wildcard which offers that (where
> you can issue multiple certificates with different private
> keys from the same wildcard cert/purchase).____
>
> __ __
>
> We switched to using InCommon certificates, which it looks
> like your University also subscribes to. You should be able
> to get them internally from whomever licensed that there, as
> it’s a flat fee service for unlimited certificates.____
>
> __ __
>
> Matthew Ballard____
>
> Director of Technology Infrastructure____
>
> Information Systems____
>
> Otis College of Art and Design____
>
> mballard@otis.edu<mailto:mballard@otis.edu> <mailto:mballard@otis.edu<mailto:mballard@otis.edu>>____
>
> __ __
>
> __ __
>
> __ __
>
> *From:*cisco-voip <cisco-voip-bounces@puck.nether.net<mailto:cisco-voip-bounces@puck.nether.net>
> <mailto:cisco-voip-bounces@puck.nether.net<mailto:cisco-voip-bounces@puck.nether.net>>> *On Behalf Of
> *Brian Meade
> *Sent:* Monday, March 30, 2020 11:42 AM
> *To:* cisco-voip voyp list <cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>
> <mailto:cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>>>
> *Subject:* [cisco-voip] Cost-Effective Public Certificate
> Authority for CUCM certificates____
>
> __ __
>
> Does anyone know of any public certificate authorities that
> have cheaper multi-server SAN certificate options? I had
> seen some in the past that let you buy a wildcard and then
> can submit CSR's against that still but having trouble
> finding that now.____
>
> __ __
>
> Trying to avoid buying 4 multi-server certificates to cover
> CUCM Tomcat/Unity Connection Tomcat/UCCX Tomcat/IM&P
> XMPP.____
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net> <mailto:cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>>
> https://puck.nether.net/mailman/listinfo/cisco-voip
> <https://puck.nether.net/mailman/listinfo/cisco-voip>
>
>
>
> --
> During this time of remote work, There will be the need for
> connectivity to other devices such as a cell phone. If you require
> assistance forwarding your desk phone to a remote cell or message
> phone, please email with desk number and where we are forwarding
> calls. I can do these remotely.
>
> Johnny Q
> Voice Technology Analyst II
> Chemeketa Community College
> Johnny.Q@chemeketa.edu<mailto:Johnny.Q@chemeketa.edu> <mailto:Johnny.Q@chemeketa.edu<mailto:Johnny.Q@chemeketa.edu>>
> Building 22 Room 130
> Work 5033995294
> Cell 5035769873
> FAX 5033995549

>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>
> https://puck.nether.net/mailman/listinfo/cisco-voip

_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip

We've been flipping a lot of customers over to NameCheap now. $50/year for
multi-SAN DV certificates is pretty hard to beat. For
CUCM/Unity/IM&P/UCCX/Expressway, ends up more like $250-$300/year.

They seem to issue certs pretty immediately since it's just Domain
Verification using email.

On Fri, Feb 18, 2022 at 1:17 PM Nick Russo via cisco-voip <
cisco-voip@puck.nether.net> wrote:

> Unfortunately, Cisco doesn't allow for * certs with the UC platform. If
> this is for Jabber MRA, they recently added support for ACME certificates,
> but I haven't used that. The cheapest CA signed certs I've been able to
> find is ssls.com and the full set of certs for a typical cluster is going
> to set you back about $900 a year. They have a couple of Collaboration
> packages that you can use for the multiple domains. Also, they work well
> enough, but the support for ssls.com is pretty weak, so plan on at least
> a week to get your certs ordered, approved, and installed.
>
> On Friday, February 18, 2022, 09:39:50 AM PST, Lelio Fulgenzi <
> lelio@uoguelph.ca> wrote:
>
>
> We use Entrust. But I think we had some sort of "Contract" that allowed
> for a specific number of certs to be issued, all on the credit system.
> Regardless of SANs.
>
> But, you're right. Cisco collab is an expensive solution to provide certs
> for.
>
> I'm really hoping that https://www.incommon.org/certificates/subscribe/ opens
> up to EDUs outside of the U.S. some time (soon).
>
> -----Original Message-----
> From: cisco-voip <cisco-voip-bounces@puck.nether.net> On Behalf Of James
> Andrewartha
> Sent: Friday, February 18, 2022 4:28 AM
> To: cisco-voip@puck.nether.net
> Subject: Re: [cisco-voip] [EXTERNAL] Re: Cost-Effective Public Certificate
> Authority for CUCM certificates
>
> CAUTION: This email originated from outside of the University of Guelph.
> Do not click links or open attachments unless you recognize the sender and
> know the content is safe. If in doubt, forward suspicious emails to
> IThelp@uoguelph.ca
>
>
> Digicert have killed the fact you could issue a cert for
> host.sub.example.com on your *.example.com wildcard, instead they want to
> charge you extra for those hosts so now I'm shopping around. The good news
> is there's now other places that will do wildcards with unlimited reissues
> (which most call "unlimited server licenses").
>
> I tried Comodo/Sectigo Positive Multi Domain Wildcard SSL which can even
> have multiple wildcards on the one certificate, but it only accepts CSRs
> for *.example.com, which UCM/UC/IM&P won't generate. But perhaps that's a
> limitation of the reseller I used. They also have the Comodo/Sectigo Multi
> Domain SSL Certificate (FLEX) which lets you have host SANs, but will
> charge you for each one.
>
> Anyone had success with any other CAs recently?
>
> --
> James Andrewartha
> Network & Projects Engineer
> Christ Church Grammar School
> Claremont, Western Australia
> Ph. (08) 9442 1757
> Mob. 0424 160 877
>
> On 31/3/20 04:49, Brian Meade wrote:
> > In this case, we're doing public certificates internally as well for
> > CUCM Tomcat, Unity Connection Tomcat, UCCX Tomcat, and IM&P CUP-XMPP.
> >
> > Adding the multiple presence domains is pretty easy on the IM&P side
> > and it will automatically add SAN's for those domains in the CSR.
> >
> > Expressway-E will also automatically add all domains to the CSR.
> >
> > On Mon, Mar 30, 2020 at 4:07 PM Jonatan Quezada
> > <jonatan.quezada@chemeketa.edu <mailto:jonatan.quezada@chemeketa.edu>>
> > wrote:
> >
> > Brian, How challenging was it to do the jabber on all three domains?
> >
> > Where do you need the multiDomain cert, on the VCS-edge connector
> > right? Im looking to see what it would take to get this going for
> > our remote workers even though it seems
> > like there are few things to make sure are in place first.
> >
> > for so far its the :
> >
> > certs for dual domain- how
> > provision jabber users
> >
> >
> > On Mon, Mar 30, 2020 at 12:28 PM Brian Meade <bmeade90@vt.edu
> > <mailto:bmeade90@vt.edu>> wrote:
> >
> > I was originally going to go with that wildcard option but this
> > customer has 3 different presence domains to match their email
> > domains which makes the CUP-XMPP cert more complicated.
> >
> > This is my personal email so no access to InCommon certificates
> > unfortunately.
> >
> > On Mon, Mar 30, 2020 at 2:59 PM Matthew Ballard
> > <mballard@otis.edu <mailto:mballard@otis.edu>> wrote:
> >
> > We used to use DigiCert Wildcard which offers that (where
> > you can issue multiple certificates with different private
> > keys from the same wildcard cert/purchase).____
> >
> > __ __
> >
> > We switched to using InCommon certificates, which it looks
> > like your University also subscribes to. You should be able
> > to get them internally from whomever licensed that there, as
> > it’s a flat fee service for unlimited certificates.____
> >
> > __ __
> >
> > Matthew Ballard____
> >
> > Director of Technology Infrastructure____
> >
> > Information Systems____
> >
> > Otis College of Art and Design____
> >
> > mballard@otis.edu <mailto:mballard@otis.edu>____
> >
> > __ __
> >
> > __ __
> >
> > __ __
> >
> > *From:*cisco-voip <cisco-voip-bounces@puck.nether.net
> > <mailto:cisco-voip-bounces@puck.nether.net>> *On Behalf Of
> > *Brian Meade
> > *Sent:* Monday, March 30, 2020 11:42 AM
> > *To:* cisco-voip voyp list <cisco-voip@puck.nether.net
> > <mailto:cisco-voip@puck.nether.net>>
> > *Subject:* [cisco-voip] Cost-Effective Public Certificate
> > Authority for CUCM certificates____
> >
> > __ __
> >
> > Does anyone know of any public certificate authorities that
> > have cheaper multi-server SAN certificate options? I had
> > seen some in the past that let you buy a wildcard and then
> > can submit CSR's against that still but having trouble
> > finding that now.____
> >
> > __ __
> >
> > Trying to avoid buying 4 multi-server certificates to cover
> > CUCM Tomcat/Unity Connection Tomcat/UCCX Tomcat/IM&P
> > XMPP.____
> >
> > _______________________________________________
> > cisco-voip mailing list
> > cisco-voip@puck.nether.net <mailto:cisco-voip@puck.nether.net>
> > https://puck.nether.net/mailman/listinfo/cisco-voip
> > <https://puck.nether.net/mailman/listinfo/cisco-voip>
> >
> >
> >
> > --
> > During this time of remote work, There will be the need for
> > connectivity to other devices such as a cell phone. If you require
> > assistance forwarding your desk phone to a remote cell or message
> > phone, please email with desk number and where we are forwarding
> > calls. I can do these remotely.
> >
> > Johnny Q
> > Voice Technology Analyst II
> > Chemeketa Community College
> > Johnny.Q@chemeketa.edu <mailto:Johnny.Q@chemeketa.edu>
> > Building 22 Room 130
> > Work 5033995294
> > Cell 5035769873
> > FAX 5033995549
>
> >
> >
> > _______________________________________________
> > cisco-voip mailing list
> > cisco-voip@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-voip
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>

My biggest concern is not signing a long term contract with one provider so that cert renewals are an easy button push and no loss of cert time.

We’ve been changing providers too often in my opinion. :(

Sent from my iPhone

On Feb 21, 2022, at 4:09 PM, Brian Meade <bmeade90@vt.edu> wrote:

?

CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to IThelp@uoguelph.ca


We've been flipping a lot of customers over to NameCheap now. $50/year for multi-SAN DV certificates is pretty hard to beat. For CUCM/Unity/IM&P/UCCX/Expressway, ends up more like $250-$300/year.

They seem to issue certs pretty immediately since it's just Domain Verification using email.

On Fri, Feb 18, 2022 at 1:17 PM Nick Russo via cisco-voip <cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>> wrote:
Unfortunately, Cisco doesn't allow for * certs with the UC platform. If this is for Jabber MRA, they recently added support for ACME certificates, but I haven't used that. The cheapest CA signed certs I've been able to find is ssls.com<http://ssls.com> and the full set of certs for a typical cluster is going to set you back about $900 a year. They have a couple of Collaboration packages that you can use for the multiple domains. Also, they work well enough, but the support for ssls.com<http://ssls.com> is pretty weak, so plan on at least a week to get your certs ordered, approved, and installed.

On Friday, February 18, 2022, 09:39:50 AM PST, Lelio Fulgenzi <lelio@uoguelph.ca<mailto:lelio@uoguelph.ca>> wrote:


We use Entrust. But I think we had some sort of "Contract" that allowed for a specific number of certs to be issued, all on the credit system. Regardless of SANs.

But, you're right. Cisco collab is an expensive solution to provide certs for.

I'm really hoping that https://www.incommon.org/certificates/subscribe/ opens up to EDUs outside of the U.S. some time (soon).

-----Original Message-----
From: cisco-voip <cisco-voip-bounces@puck.nether.net<mailto:cisco-voip-bounces@puck.nether.net>> On Behalf Of James Andrewartha
Sent: Friday, February 18, 2022 4:28 AM
To: cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>
Subject: Re: [cisco-voip] [EXTERNAL] Re: Cost-Effective Public Certificate Authority for CUCM certificates

CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to IThelp@uoguelph.ca<mailto:IThelp@uoguelph.ca>


Digicert have killed the fact you could issue a cert for host.sub.example.com<http://host.sub.example.com> on your *.example.com<http://example.com> wildcard, instead they want to charge you extra for those hosts so now I'm shopping around. The good news is there's now other places that will do wildcards with unlimited reissues (which most call "unlimited server licenses").

I tried Comodo/Sectigo Positive Multi Domain Wildcard SSL which can even have multiple wildcards on the one certificate, but it only accepts CSRs for *.example.com<http://example.com>, which UCM/UC/IM&P won't generate. But perhaps that's a limitation of the reseller I used. They also have the Comodo/Sectigo Multi Domain SSL Certificate (FLEX) which lets you have host SANs, but will charge you for each one.

Anyone had success with any other CAs recently?

--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

On 31/3/20 04:49, Brian Meade wrote:
> In this case, we're doing public certificates internally as well for
> CUCM Tomcat, Unity Connection Tomcat, UCCX Tomcat, and IM&P CUP-XMPP.
>
> Adding the multiple presence domains is pretty easy on the IM&P side
> and it will automatically add SAN's for those domains in the CSR.
>
> Expressway-E will also automatically add all domains to the CSR.
>
> On Mon, Mar 30, 2020 at 4:07 PM Jonatan Quezada
> <jonatan.quezada@chemeketa.edu<mailto:jonatan.quezada@chemeketa.edu> <mailto:jonatan.quezada@chemeketa.edu<mailto:jonatan.quezada@chemeketa.edu>>>
> wrote:
>
> Brian, How challenging was it to do the jabber on all three domains?
>
> Where do you need the multiDomain cert, on the VCS-edge connector
> right? Im looking to see what it would take to get this going for
> our remote workers even though it seems
> like there are few things to make sure are in place first.
>
> for so far its the :
>
> certs for dual domain- how
> provision jabber users
>
>
> On Mon, Mar 30, 2020 at 12:28 PM Brian Meade <bmeade90@vt.edu<mailto:bmeade90@vt.edu>
> <mailto:bmeade90@vt.edu<mailto:bmeade90@vt.edu>>> wrote:
>
> I was originally going to go with that wildcard option but this
> customer has 3 different presence domains to match their email
> domains which makes the CUP-XMPP cert more complicated.
>
> This is my personal email so no access to InCommon certificates
> unfortunately.
>
> On Mon, Mar 30, 2020 at 2:59 PM Matthew Ballard
> <mballard@otis.edu<mailto:mballard@otis.edu> <mailto:mballard@otis.edu<mailto:mballard@otis.edu>>> wrote:
>
> We used to use DigiCert Wildcard which offers that (where
> you can issue multiple certificates with different private
> keys from the same wildcard cert/purchase).____
>
> __ __
>
> We switched to using InCommon certificates, which it looks
> like your University also subscribes to. You should be able
> to get them internally from whomever licensed that there, as
> it’s a flat fee service for unlimited certificates.____
>
> __ __
>
> Matthew Ballard____
>
> Director of Technology Infrastructure____
>
> Information Systems____
>
> Otis College of Art and Design____
>
> mballard@otis.edu<mailto:mballard@otis.edu> <mailto:mballard@otis.edu<mailto:mballard@otis.edu>>____
>
> __ __
>
> __ __
>
> __ __
>
> *From:*cisco-voip <cisco-voip-bounces@puck.nether.net<mailto:cisco-voip-bounces@puck.nether.net>
> <mailto:cisco-voip-bounces@puck.nether.net<mailto:cisco-voip-bounces@puck.nether.net>>> *On Behalf Of
> *Brian Meade
> *Sent:* Monday, March 30, 2020 11:42 AM
> *To:* cisco-voip voyp list <cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>
> <mailto:cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>>>
> *Subject:* [cisco-voip] Cost-Effective Public Certificate
> Authority for CUCM certificates____
>
> __ __
>
> Does anyone know of any public certificate authorities that
> have cheaper multi-server SAN certificate options? I had
> seen some in the past that let you buy a wildcard and then
> can submit CSR's against that still but having trouble
> finding that now.____
>
> __ __
>
> Trying to avoid buying 4 multi-server certificates to cover
> CUCM Tomcat/Unity Connection Tomcat/UCCX Tomcat/IM&P
> XMPP.____
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net> <mailto:cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>>
> https://puck.nether.net/mailman/listinfo/cisco-voip
> <https://puck.nether.net/mailman/listinfo/cisco-voip>
>
>
>
> --
> During this time of remote work, There will be the need for
> connectivity to other devices such as a cell phone. If you require
> assistance forwarding your desk phone to a remote cell or message
> phone, please email with desk number and where we are forwarding
> calls. I can do these remotely.
>
> Johnny Q
> Voice Technology Analyst II
> Chemeketa Community College
> Johnny.Q@chemeketa.edu<mailto:Johnny.Q@chemeketa.edu> <mailto:Johnny.Q@chemeketa.edu<mailto:Johnny.Q@chemeketa.edu>>
> Building 22 Room 130
> Work 5033995294
> Cell 5035769873
> FAX 5033995549

>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>
> https://puck.nether.net/mailman/listinfo/cisco-voip

_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip