Mailing List Archive

Expressway cluster certificates.
Hi, Guys

I am renewing the certificates in an Expressway X8.10.1 cluster. But I am running into a conflict between the official documentation and how CUCM works.

I have set both Expressway-C certificates to use the Cluster name for the Common Name and each server´s name as a SAN, as the oficial guide states.
But when I load both signed certificates into CUCM trust stores, it shows only one of the certificates, instead of both, as CUCM uses the CN tu build its listo f certs, and both ExpC´s CN is the same (Although they are two diferente certificates)

So, I started to re-read all related documents I could find and I found some contradictions that I do not now how to solve.

On one hand, I have the official “Certificate Creation and Deployment Guide” that states:

“A certificate identifies the Expressway. It contains names by which it is known and to which traffic is routed. If the Expressway is known by multiple names for these purposes, such as if it is part of a cluster, this must be represented in the X.509 subject data, according to the guidance of RFC5922. The certificate must contain the FQDN of both the Expressway itself and of the cluster. The following lists show what must be included in the X.509 subject, depending on the deployment model chosen.
If the Expressway is not clustered:
? Subject Common Name = FQDN of Expressway
? Subject Alternate Names = leave blank*
If the Expressway is clustered, with individual certificates per Expressway:
? Subject Common Name = FQDN of cluster
? Subject Alternate Name = FQDN of Expressway peer, FQDN of cluster*

https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-10/Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X8-10.pdf

On the other hand I have the “Configure and Troubleshoot Collaboration Edge (MRA) Certificates“ that says:

Cluster Certificates

It is strongly recommended that if you have a cluster of Expressway-C or Expressway-E servers for redundancy that you generate a separate CSR for each server and have it signed by a CA. Most deployments will use the server name for the subject and list all peers and the cluster ID as SANs. It is possible for you to use the cluster-id as the subject to use the same certificate for all nodes in the cluster, therefore avoiding the cost of multiple certs signed by a public CA. If absolutely necessary, this can be done with the following process or by using OpenSSL to generate both the private key and CSR manually:

Step 1. Generate a CSR on the master of the cluster and configure it to list the cluster-alias as the subject. Add all peers in the cluster as alternative names, along with all other required SANs.

Step 2. Sign this CSR and upload to the master peer.

Step 3. Log into the master as root and download the private key located in /tandberg/persistent/certs.

Step 4. Upload both the signed certificate and matching private key to each other peer in the cluster.

Note: This is not recommended for the following reasons:
1. It is a security risk because all peers are using the same private key. If one is somehow compromised an attacker can decrypt traffic from any of the servers.
2. If a change needs to be made to the certificate, this entire process must be followed again rather than a simple CSR generation and signing.

https://www.cisco.com/c/en/us/support/docs/unified-communications/expressway/213872-configure-and-troubleshoot-collaboration.html#anc17


So, one says to use the cluster name, the other says the opposite. And I have the CUCM showing me only one cert intead of two.


What should I do? Re-sign both certificates with the peer name as CN and cluster as SAN and be done with it? Ori s there a legitimate way to use the cluster name and not have issues with CUCM?

Right now, the Expressway cluster is in service, because I left the cluster´s main peer certificate showing in CUCM, but as far as I know, the backup peer won´t work.

TIA,


[cid:image001.png@01D582B8.04178020]Ariel Roza
Support & Maintenance Engineer | Latam
t: +54 11 5282-0458 / c: +54 11 5017-4417 / webex: https://logicalis-la.webex.com/join/ariel.roza
Av. Belgrano 955 – Piso 20 – CABA – Argentina – C1092AAJ
www.la.logicalis.com<http://www.la.logicalis.com/>
Business and technology working as one
[cid:image003.jpg@01D582BA.3104E530][cid:image004.png@01D582B8.04178020][cid:image005.png@01D582B8.04178020]<https://www.instagram.com/logicalislatam/>[cid:image006.png@01D582B8.04178020]<https://www.facebook.com/logicalislatam>[cid:image007.png@01D582B8.04178020]<https://twitter.com/logicalislatam>[cid:image008.png@01D582B8.04178020]<https://ar.linkedin.com/company/logicalis-latam>[cid:image009.png@01D582B8.04178020]<https://www.youtube.com/logicalislatam>
[cid:image010.jpg@01D582B8.04178020]
Logicalis Argentina S.A. solo puede ser obligado por sus representantes legales conforme los límites establecidos en el acto constitutivo y la legislación en vigor.
El contenido del presente correo electrónico e inclusive sus anexos contienen información confidencial.
El mismo no puede ser divulgado y/o utilizado por cualquiera otro distinto al destinatario, ni puede ser copiado de cualquier forma
Re: Expressway cluster certificates. [ In reply to ]
Are the expressway-C server using self-signed certificates (I doubt it because you said they are multi-san)?

Generally, CUCM doesn’t need to trust the identity certificate (unless it is self signed). In all other cases, CUCM needs to trust the certificate authority the signed the expressway-c certificates.

If for example, GoDaddy signed the SSL certificates for the Expressway-C, CUCM just needs to trust the GoDaddy certificate authority chain.

Sent from my iPhone

On Oct 14, 2019, at 17:07, ROZA, Ariel <Ariel.ROZA@la.logicalis.com> wrote:

?
Hi, Guys

I am renewing the certificates in an Expressway X8.10.1 cluster. But I am running into a conflict between the official documentation and how CUCM works.

I have set both Expressway-C certificates to use the Cluster name for the Common Name and each server´s name as a SAN, as the oficial guide states.
But when I load both signed certificates into CUCM trust stores, it shows only one of the certificates, instead of both, as CUCM uses the CN tu build its listo f certs, and both ExpC´s CN is the same (Although they are two diferente certificates)

So, I started to re-read all related documents I could find and I found some contradictions that I do not now how to solve.

On one hand, I have the official “Certificate Creation and Deployment Guide” that states:

“A certificate identifies the Expressway. It contains names by which it is known and to which traffic is routed. If the Expressway is known by multiple names for these purposes, such as if it is part of a cluster, this must be represented in the X.509 subject data, according to the guidance of RFC5922. The certificate must contain the FQDN of both the Expressway itself and of the cluster. The following lists show what must be included in the X.509 subject, depending on the deployment model chosen.
If the Expressway is not clustered:
? Subject Common Name = FQDN of Expressway
? Subject Alternate Names = leave blank*
If the Expressway is clustered, with individual certificates per Expressway:
? Subject Common Name = FQDN of cluster
? Subject Alternate Name = FQDN of Expressway peer, FQDN of cluster*

https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-10/Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X8-10.pdf<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cisco.com%2Fc%2Fdam%2Fen%2Fus%2Ftd%2Fdocs%2Fvoice_ip_comm%2Fexpressway%2Fconfig_guide%2FX8-10%2FCisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X8-10.pdf&data=02%7C01%7C%7C947276c8718c41c85c7608d750ea89df%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637066840572617327&sdata=jX2XERO5x5TbN0%2B9QbD6S8EPCRFZ8mTWVuLhHRFfvL0%3D&reserved=0>

On the other hand I have the “Configure and Troubleshoot Collaboration Edge (MRA) Certificates“ that says:

Cluster Certificates

It is strongly recommended that if you have a cluster of Expressway-C or Expressway-E servers for redundancy that you generate a separate CSR for each server and have it signed by a CA. Most deployments will use the server name for the subject and list all peers and the cluster ID as SANs. It is possible for you to use the cluster-id as the subject to use the same certificate for all nodes in the cluster, therefore avoiding the cost of multiple certs signed by a public CA. If absolutely necessary, this can be done with the following process or by using OpenSSL to generate both the private key and CSR manually:

Step 1. Generate a CSR on the master of the cluster and configure it to list the cluster-alias as the subject. Add all peers in the cluster as alternative names, along with all other required SANs.

Step 2. Sign this CSR and upload to the master peer.

Step 3. Log into the master as root and download the private key located in /tandberg/persistent/certs.

Step 4. Upload both the signed certificate and matching private key to each other peer in the cluster.

Note: This is not recommended for the following reasons:
1. It is a security risk because all peers are using the same private key. If one is somehow compromised an attacker can decrypt traffic from any of the servers.
2. If a change needs to be made to the certificate, this entire process must be followed again rather than a simple CSR generation and signing.

https://www.cisco.com/c/en/us/support/docs/unified-communications/expressway/213872-configure-and-troubleshoot-collaboration.html#anc17<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cisco.com%2Fc%2Fen%2Fus%2Fsupport%2Fdocs%2Funified-communications%2Fexpressway%2F213872-configure-and-troubleshoot-collaboration.html%23anc17&data=02%7C01%7C%7C947276c8718c41c85c7608d750ea89df%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637066840572627328&sdata=AY%2F0Oqd6iK7D0nzknAyMcwoJInxJotOfGmB2ATzgksk%3D&reserved=0>


So, one says to use the cluster name, the other says the opposite. And I have the CUCM showing me only one cert intead of two.


What should I do? Re-sign both certificates with the peer name as CN and cluster as SAN and be done with it? Ori s there a legitimate way to use the cluster name and not have issues with CUCM?

Right now, the Expressway cluster is in service, because I left the cluster´s main peer certificate showing in CUCM, but as far as I know, the backup peer won´t work.

TIA,


<image001.png>
Ariel Roza
Support & Maintenance Engineer | Latam
t: +54 11 5282-0458 / c: +54 11 5017-4417 / webex: https://logicalis-la.webex.com/join/ariel.roza<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Flogicalis-la.webex.com%2Fjoin%2Fariel.roza&data=02%7C01%7C%7C947276c8718c41c85c7608d750ea89df%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637066840572627328&sdata=5NEkhBSPCrZTdDuwtMLb1Wvvx%2FxmSMCrhsjy18nQaNo%3D&reserved=0>
Av. Belgrano 955 – Piso 20 – CABA – Argentina – C1092AAJ
www.la.logicalis.com<https://nam10.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.la.logicalis.com%2F&data=02%7C01%7C%7C947276c8718c41c85c7608d750ea89df%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637066840572637337&sdata=iVRKW%2F%2Bs%2Fj5YkJc5huHZHPnAY%2BDnHt%2BoEOd%2BknPWd8c%3D&reserved=0>
Business and technology working as one
<image003.jpg>
<image004.png>
<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.instagram.com%2Flogicalislatam%2F&data=02%7C01%7C%7C947276c8718c41c85c7608d750ea89df%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637066840572637337&sdata=vxSo3geivpVldtS4HLp9y%2FOW7grMOoa6v9e7MpiiK0M%3D&reserved=0>
<image005.png>
<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2Flogicalislatam&data=02%7C01%7C%7C947276c8718c41c85c7608d750ea89df%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637066840572647342&sdata=JESDsB9%2B5aH77WhiVKlBSrB0YhuJ%2FxOz4DmmC68iTt0%3D&reserved=0>
<image006.png>
<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Flogicalislatam&data=02%7C01%7C%7C947276c8718c41c85c7608d750ea89df%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637066840572647342&sdata=1Z4t9f2UvTDkpd5VQ7OPmXmot1M5okYSCuGNGlKrsxA%3D&reserved=0>
<image007.png>
<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Far.linkedin.com%2Fcompany%2Flogicalis-latam&data=02%7C01%7C%7C947276c8718c41c85c7608d750ea89df%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637066840572657360&sdata=HNTtI5fMcj6Fvof%2BrgErBlM6lbWI03L1xl817Y2vWuw%3D&reserved=0>
<image008.png>
<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.youtube.com%2Flogicalislatam&data=02%7C01%7C%7C947276c8718c41c85c7608d750ea89df%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637066840572657360&sdata=GnZYSe4WsJQ5tqz9y%2FjrGLVrBtiT6dkjn2at7XFJxNc%3D&reserved=0>
<image009.png>
<image010.jpg>
Logicalis Argentina S.A. solo puede ser obligado por sus representantes legales conforme los límites establecidos en el acto constitutivo y la legislación en vigor.
El contenido del presente correo electrónico e inclusive sus anexos contienen información confidencial.
El mismo no puede ser divulgado y/o utilizado por cualquiera otro distinto al destinatario, ni puede ser copiado de cualquier forma

_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net
https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-voip&amp;data=02%7C01%7C%7C947276c8718c41c85c7608d750ea89df%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637066840572677369&amp;sdata=kS%2FWccGQz25%2FQb%2FN3R7%2F1ZlD1%2FDcLCbKeHy0N2oZ1Zs%3D&amp;reserved=0
Re: Expressway cluster certificates. [ In reply to ]
Hi Ryan,

Both Expressway servers are signed by the internal CA. I have uploaded the root and intermediate certificates, too.
But I am renewing the certificates on an existing cluster, and whoever instelled it, they manually added the ExpC certs into tomcat-trust.

So, I understand that it would be safe to remove the ExpC certs from tomcat-trust and everything would be working fine?
What about the use the cluster name/don´t use the cluster name contradiction?

Thanks,

Ariel.

De: Ryan Huff <ryanhuff@outlook.com>
Enviado el: lunes, 14 de octubre de 2019 18:14
Para: ROZA, Ariel <Ariel.ROZA@LA.LOGICALIS.COM>
CC: cisco-voip (cisco-voip@puck.nether.net) <cisco-voip@puck.nether.net>
Asunto: Re: [cisco-voip] Expressway cluster certificates.

Are the expressway-C server using self-signed certificates (I doubt it because you said they are multi-san)?

Generally, CUCM doesn’t need to trust the identity certificate (unless it is self signed). In all other cases, CUCM needs to trust the certificate authority the signed the expressway-c certificates.

If for example, GoDaddy signed the SSL certificates for the Expressway-C, CUCM just needs to trust the GoDaddy certificate authority chain.
Sent from my iPhone
Re: Expressway cluster certificates. [ In reply to ]
So having more certs than need in the Truststore generally wont cause issues, it’s just one more certificate that can potentially be trusted.

As long as the new certificates are signed by the same internal CA as the one that is currently in the truststore for CUCM (all nodes), then you shouldn’t need to have the identity certificates in the truststore.

One reason that may have been done is because the original person wasn’t able to get CUCM to properly recognize the internal CA and trust certificates signed by it.

This could happen if the CA chain was uploaded incorrectly. The root should be uploaded first, then any intermediates.

Sent from my iPhone

On Oct 14, 2019, at 17:40, ROZA, Ariel <Ariel.ROZA@la.logicalis.com> wrote:

?
Hi Ryan,

Both Expressway servers are signed by the internal CA. I have uploaded the root and intermediate certificates, too.
But I am renewing the certificates on an existing cluster, and whoever instelled it, they manually added the ExpC certs into tomcat-trust.

So, I understand that it would be safe to remove the ExpC certs from tomcat-trust and everything would be working fine?
What about the use the cluster name/don´t use the cluster name contradiction?

Thanks,

Ariel.

De: Ryan Huff <ryanhuff@outlook.com>
Enviado el: lunes, 14 de octubre de 2019 18:14
Para: ROZA, Ariel <Ariel.ROZA@LA.LOGICALIS.COM>
CC: cisco-voip (cisco-voip@puck.nether.net) <cisco-voip@puck.nether.net>
Asunto: Re: [cisco-voip] Expressway cluster certificates.

Are the expressway-C server using self-signed certificates (I doubt it because you said they are multi-san)?

Generally, CUCM doesn’t need to trust the identity certificate (unless it is self signed). In all other cases, CUCM needs to trust the certificate authority the signed the expressway-c certificates.

If for example, GoDaddy signed the SSL certificates for the Expressway-C, CUCM just needs to trust the GoDaddy certificate authority chain.
Sent from my iPhone