Mailing List Archive

Same.

We have a multi-san certificate for our expressway-e cluster from Entrust. You have to create the CSR on the first node in the cluster, install the certificate and then copy the private key via SCP. You then load the private key and certificate into the 2nd server.

To get the private key. Login to the server that has the installed certificate via SCP as root.

The file is privkey.pem in /tandberg/persistent/certs/



-----Original Message-----
From: cisco-voip <cisco-voip-bounces@puck.nether.net> On Behalf Of Hunter Fuller
Sent: Tuesday, August 2, 2022 1:37 PM
To: Lelio Fulgenzi <lelio@uoguelph.ca>
Cc: Cisco VOIP <cisco-voip@puck.nether.net>
Subject: Re: [cisco-voip] [External] Re: expressway E GoDaddy certificate

Since I just love being contrarian, we are running the same cert on both Expressway-E. It is not GoDaddy though. But feel free to take a look at how this works. Our expe are vbhexpe.voip.uah.edu and libexpe.voip.uah.edu and I've also attached the cert to this email.

--
Hunter Fuller (they)
Router Jockey
VBH M-1C
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering

On Tue, Aug 2, 2022 at 9:06 AM Lelio Fulgenzi <lelio@uoguelph.ca> wrote:
>
> We’ve always been weary of wildcard and muti-San certs that preclude a certificate for each server. In our case, we have got a multi-san cert for each expressway E (and C for that matter) which includes the server as the primary host, and the peer, cluster name and domain as a SAN.
>
>
>
> I’m lucky that our cert team has got a contract with good inventory, so, a couple of extra multi-SAN certs isn’t a big deal for us.
>
>
>
> At some point, we may consider moving the Expressways to Let’s Encrypt. It’s the only Cisco collab platform that supports it for now.
>
>
>
>
>
> From: cisco-voip <cisco-voip-bounces@puck.nether.net> On Behalf Of
> Shaihan Jaffrey
> Sent: Tuesday, August 2, 2022 4:21 AM
> To: Cisco VOIP <cisco-voip@puck.nether.net>
> Subject: [cisco-voip] expressway E GoDaddy certificate
>
>
>
> CAUTION: This email originated from outside of the University of
> Guelph. Do not click links or open attachments unless you recognize
> the sender and know the content is safe. If in doubt, forward
> suspicious emails to IThelp@uoguelph.ca
>
>
>
> what is the process to renew Public certificate on Expressway E
> through
>
> GoDaddy.
>
> Is one certificate sufficient for primary and secondary exp-e?
>
>
>
> do we have to get certificates based on FQDN?
>
>
>
> Regards
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Curious if you passed this method by Cisco/Expressway support.

I find the Expressway support team very critical of any changes to supported methods. It's the only team that doesn't support ESXi maintenance releases unless it's explicitly stated in the document.

-----Original Message-----
From: Matthew Huff <mhuff@ox.com>
Sent: Wednesday, August 3, 2022 7:47 AM
To: Hunter Fuller <hf0002@uah.edu>; Lelio Fulgenzi <lelio@uoguelph.ca>
Cc: Cisco VOIP <cisco-voip@puck.nether.net>
Subject: RE: [cisco-voip] [External] Re: expressway E GoDaddy certificate

CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to IThelp@uoguelph.ca


Same.

We have a multi-san certificate for our expressway-e cluster from Entrust. You have to create the CSR on the first node in the cluster, install the certificate and then copy the private key via SCP. You then load the private key and certificate into the 2nd server.

To get the private key. Login to the server that has the installed certificate via SCP as root.

The file is privkey.pem in /tandberg/persistent/certs/



-----Original Message-----
From: cisco-voip <cisco-voip-bounces@puck.nether.net> On Behalf Of Hunter Fuller
Sent: Tuesday, August 2, 2022 1:37 PM
To: Lelio Fulgenzi <lelio@uoguelph.ca>
Cc: Cisco VOIP <cisco-voip@puck.nether.net>
Subject: Re: [cisco-voip] [External] Re: expressway E GoDaddy certificate

Since I just love being contrarian, we are running the same cert on both Expressway-E. It is not GoDaddy though. But feel free to take a look at how this works. Our expe are vbhexpe.voip.uah.edu and libexpe.voip.uah.edu and I've also attached the cert to this email.

--
Hunter Fuller (they)
Router Jockey
VBH M-1C
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering

On Tue, Aug 2, 2022 at 9:06 AM Lelio Fulgenzi <lelio@uoguelph.ca> wrote:
>
> We’ve always been weary of wildcard and muti-San certs that preclude a certificate for each server. In our case, we have got a multi-san cert for each expressway E (and C for that matter) which includes the server as the primary host, and the peer, cluster name and domain as a SAN.
>
>
>
> I’m lucky that our cert team has got a contract with good inventory, so, a couple of extra multi-SAN certs isn’t a big deal for us.
>
>
>
> At some point, we may consider moving the Expressways to Let’s Encrypt. It’s the only Cisco collab platform that supports it for now.
>
>
>
>
>
> From: cisco-voip <cisco-voip-bounces@puck.nether.net> On Behalf Of
> Shaihan Jaffrey
> Sent: Tuesday, August 2, 2022 4:21 AM
> To: Cisco VOIP <cisco-voip@puck.nether.net>
> Subject: [cisco-voip] expressway E GoDaddy certificate
>
>
>
> CAUTION: This email originated from outside of the University of
> Guelph. Do not click links or open attachments unless you recognize
> the sender and know the content is safe. If in doubt, forward
> suspicious emails to IThelp@uoguelph.ca
>
>
>
> what is the process to renew Public certificate on Expressway E
> through
>
> GoDaddy.
>
> Is one certificate sufficient for primary and secondary exp-e?
>
>
>
> do we have to get certificates based on FQDN?
>
>
>
> Regards
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

TAC is the one that showed me. The big clue is that in expressway it has the ability to upload a private key. Why have that feature if you can't extract it?

-----Original Message-----
From: Lelio Fulgenzi <lelio@uoguelph.ca>
Sent: Wednesday, August 3, 2022 9:11 AM
To: Matthew Huff <mhuff@ox.com>; Hunter Fuller <hf0002@uah.edu>
Cc: Cisco VOIP <cisco-voip@puck.nether.net>
Subject: RE: [cisco-voip] [External] Re: expressway E GoDaddy certificate

Curious if you passed this method by Cisco/Expressway support.

I find the Expressway support team very critical of any changes to supported methods. It's the only team that doesn't support ESXi maintenance releases unless it's explicitly stated in the document.

-----Original Message-----
From: Matthew Huff <mhuff@ox.com>
Sent: Wednesday, August 3, 2022 7:47 AM
To: Hunter Fuller <hf0002@uah.edu>; Lelio Fulgenzi <lelio@uoguelph.ca>
Cc: Cisco VOIP <cisco-voip@puck.nether.net>
Subject: RE: [cisco-voip] [External] Re: expressway E GoDaddy certificate

CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to IThelp@uoguelph.ca


Same.

We have a multi-san certificate for our expressway-e cluster from Entrust. You have to create the CSR on the first node in the cluster, install the certificate and then copy the private key via SCP. You then load the private key and certificate into the 2nd server.

To get the private key. Login to the server that has the installed certificate via SCP as root.

The file is privkey.pem in /tandberg/persistent/certs/



-----Original Message-----
From: cisco-voip <cisco-voip-bounces@puck.nether.net> On Behalf Of Hunter Fuller
Sent: Tuesday, August 2, 2022 1:37 PM
To: Lelio Fulgenzi <lelio@uoguelph.ca>
Cc: Cisco VOIP <cisco-voip@puck.nether.net>
Subject: Re: [cisco-voip] [External] Re: expressway E GoDaddy certificate

Since I just love being contrarian, we are running the same cert on both Expressway-E. It is not GoDaddy though. But feel free to take a look at how this works. Our expe are vbhexpe.voip.uah.edu and libexpe.voip.uah.edu and I've also attached the cert to this email.

--
Hunter Fuller (they)
Router Jockey
VBH M-1C
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering

On Tue, Aug 2, 2022 at 9:06 AM Lelio Fulgenzi <lelio@uoguelph.ca> wrote:
>
> We’ve always been weary of wildcard and muti-San certs that preclude a certificate for each server. In our case, we have got a multi-san cert for each expressway E (and C for that matter) which includes the server as the primary host, and the peer, cluster name and domain as a SAN.
>
>
>
> I’m lucky that our cert team has got a contract with good inventory, so, a couple of extra multi-SAN certs isn’t a big deal for us.
>
>
>
> At some point, we may consider moving the Expressways to Let’s Encrypt. It’s the only Cisco collab platform that supports it for now.
>
>
>
>
>
> From: cisco-voip <cisco-voip-bounces@puck.nether.net> On Behalf Of
> Shaihan Jaffrey
> Sent: Tuesday, August 2, 2022 4:21 AM
> To: Cisco VOIP <cisco-voip@puck.nether.net>
> Subject: [cisco-voip] expressway E GoDaddy certificate
>
>
>
> CAUTION: This email originated from outside of the University of
> Guelph. Do not click links or open attachments unless you recognize
> the sender and know the content is safe. If in doubt, forward
> suspicious emails to IThelp@uoguelph.ca
>
>
>
> what is the process to renew Public certificate on Expressway E
> through
>
> GoDaddy.
>
> Is one certificate sufficient for primary and secondary exp-e?
>
>
>
> do we have to get certificates based on FQDN?
>
>
>
> Regards
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

That's great then.

I remember at one point, calling for support, one Expressway TAC person told me that dual nic isn't supported on E. I was all, "hold your horses..."

Only after some discussion was it revealed to them that it wasn't only supported but recommended. Lol


-----Original Message-----
From: Matthew Huff <mhuff@ox.com>
Sent: Wednesday, August 3, 2022 9:24 AM
To: Lelio Fulgenzi <lelio@uoguelph.ca>; Hunter Fuller <hf0002@uah.edu>
Cc: Cisco VOIP <cisco-voip@puck.nether.net>
Subject: RE: [cisco-voip] [External] Re: expressway E GoDaddy certificate

CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to IThelp@uoguelph.ca


TAC is the one that showed me. The big clue is that in expressway it has the ability to upload a private key. Why have that feature if you can't extract it?

-----Original Message-----
From: Lelio Fulgenzi <lelio@uoguelph.ca>
Sent: Wednesday, August 3, 2022 9:11 AM
To: Matthew Huff <mhuff@ox.com>; Hunter Fuller <hf0002@uah.edu>
Cc: Cisco VOIP <cisco-voip@puck.nether.net>
Subject: RE: [cisco-voip] [External] Re: expressway E GoDaddy certificate

Curious if you passed this method by Cisco/Expressway support.

I find the Expressway support team very critical of any changes to supported methods. It's the only team that doesn't support ESXi maintenance releases unless it's explicitly stated in the document.

-----Original Message-----
From: Matthew Huff <mhuff@ox.com>
Sent: Wednesday, August 3, 2022 7:47 AM
To: Hunter Fuller <hf0002@uah.edu>; Lelio Fulgenzi <lelio@uoguelph.ca>
Cc: Cisco VOIP <cisco-voip@puck.nether.net>
Subject: RE: [cisco-voip] [External] Re: expressway E GoDaddy certificate

CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to IThelp@uoguelph.ca


Same.

We have a multi-san certificate for our expressway-e cluster from Entrust. You have to create the CSR on the first node in the cluster, install the certificate and then copy the private key via SCP. You then load the private key and certificate into the 2nd server.

To get the private key. Login to the server that has the installed certificate via SCP as root.

The file is privkey.pem in /tandberg/persistent/certs/



-----Original Message-----
From: cisco-voip <cisco-voip-bounces@puck.nether.net> On Behalf Of Hunter Fuller
Sent: Tuesday, August 2, 2022 1:37 PM
To: Lelio Fulgenzi <lelio@uoguelph.ca>
Cc: Cisco VOIP <cisco-voip@puck.nether.net>
Subject: Re: [cisco-voip] [External] Re: expressway E GoDaddy certificate

Since I just love being contrarian, we are running the same cert on both Expressway-E. It is not GoDaddy though. But feel free to take a look at how this works. Our expe are vbhexpe.voip.uah.edu and libexpe.voip.uah.edu and I've also attached the cert to this email.

--
Hunter Fuller (they)
Router Jockey
VBH M-1C
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering

On Tue, Aug 2, 2022 at 9:06 AM Lelio Fulgenzi <lelio@uoguelph.ca> wrote:
>
> We’ve always been weary of wildcard and muti-San certs that preclude a certificate for each server. In our case, we have got a multi-san cert for each expressway E (and C for that matter) which includes the server as the primary host, and the peer, cluster name and domain as a SAN.
>
>
>
> I’m lucky that our cert team has got a contract with good inventory, so, a couple of extra multi-SAN certs isn’t a big deal for us.
>
>
>
> At some point, we may consider moving the Expressways to Let’s Encrypt. It’s the only Cisco collab platform that supports it for now.
>
>
>
>
>
> From: cisco-voip <cisco-voip-bounces@puck.nether.net> On Behalf Of
> Shaihan Jaffrey
> Sent: Tuesday, August 2, 2022 4:21 AM
> To: Cisco VOIP <cisco-voip@puck.nether.net>
> Subject: [cisco-voip] expressway E GoDaddy certificate
>
>
>
> CAUTION: This email originated from outside of the University of
> Guelph. Do not click links or open attachments unless you recognize
> the sender and know the content is safe. If in doubt, forward
> suspicious emails to IThelp@uoguelph.ca
>
>
>
> what is the process to renew Public certificate on Expressway E
> through
>
> GoDaddy.
>
> Is one certificate sufficient for primary and secondary exp-e?
>
>
>
> do we have to get certificates based on FQDN?
>
>
>
> Regards
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip