Most of the time wildcard certs mean you have a CSR and a private key generated by something, and then you upload the private key and the public key to lots of servers. The application would need to be able to upload a private key and not require its own CSR.
Cucm, unity cxn, uccx, do not support uploading a private key. Expressway, I think conductor do allow you to upload a private key. But what makes digicert really cool is you can buy the wildcard cert, then you keep reissuing a new certificate from that one purchase. You can do this from what I understand an unlimited times. There may be other CAs that do this. I saw one the seemed like it was going to work, but since the CSR did not include the * as a SAN, they would not issue the cert. Digicert with the Willard includes the *.domain.com and domain.com SANs automatically, and you can specify about 15 other SANs for each CSR/cert. So cucm and the other apps are happy because the cert was generated using its own CSR. Using these certs, I had one TAC case where cucm balked at the cert, but I could upload the cluster wide tomcat SAN cert via im&p. This turned out to be a problem with the domain casing not matching between all of the servers and the cert. always use domain.com and not DOMain.com and life is happy. I am not affiliated with digicert other than they are here in Utah also. It just makes life really easy to tell the customer to buy this one cert and O I can make all of the Cisco UC/jabber cert errors go away! Ps. Has anyone figured out what to do with conductor wanting IP address in the SAN? Sent from my iPhone > On Jul 15, 2015, at 10:42 AM, Anthony Holloway > <avholloway+cisco-v...@gmail.com> wrote: > > I'm a little confused here. According to this article: > http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-callmanager/115957-high-level-view-ca-00.html#wildcard, > and this defect ID: https://tools.cisco.com/bugsearch/bug/CSCta14114/, wild > card certs are not supported. Are we talking about the same thing here? > >> On Wed, Jul 15, 2015 at 10:08 AM Eric Pedersen <peders...@bennettjones.com> >> wrote: >> Digicert lets you put your domain and subdomains of any level as SANs. It’s >> great! They even generated a duplicate certificate for me with a different >> root CA that was supported with WebEx enabled Telepresence. We use their >> wildcard certificates on all of our UC servers. >> >> >> >> From: cisco-voip [mailto:cisco-voip-boun...@puck.nether.net] On Behalf Of >> Heim, Dennis >> Sent: 15 July 2015 8:28 AM >> To: Ian Anderson; NateCCIE; Cisco VOIP >> >> >> Subject: Re: [cisco-voip] Digicert Wildcard certificates >> >> >> >> >> I’ve found the hardest thing to find a cert providers that likes putting the >> domain as a san such as DNS=mycollab.com. Has anyone found any providers >> that are kosher with that? From one of the Cisco Live sessions, I was told >> this is needed for service discovery to function properly. >> >> >> >> Dennis Heim | Emerging Technology Architect (Collaboration) >> >> World Wide Technology, Inc. | +1 314-212-1814 >> >> >> >> <image002.png><image003.png><image004.png> >> >> “There is a fine line between Wrong and Visionary. Unfortunately, you have >> to be a visionary to see it." – Sheldon Cooper >> >> >> >> Click here to join me in my Collaboration Meeting Room >> >> >> >> From: cisco-voip [mailto:cisco-voip-boun...@puck.nether.net] On Behalf Of >> Ian Anderson >> >> >> Sent: Wednesday, July 15, 2015 10:18 AM >> To: NateCCIE; Cisco VOIP >> Subject: Re: [cisco-voip] Digicert Wildcard certificates >> >> >> >> >> >> On 15 July 2015 at 15:02, NateCCIE <natec...@gmail.com> wrote: >> >> Did you put all of your SANs in the digicert page? >> >> z >> >> I have this working on all of my expressway installs. >> >> Hi Nate, >> >> >> >> Thanks for the quick response, just for preservation in the archives for >> future posterity and confirmation that digicert seems fine despite the >> warnings in the manuals, it seemed I was running into 2 separate issues. >> >> >> >> 1) I had uploaded the intermediate cert, but needed to manually download and >> upload the root CA >> >> 2) That then got me past the TLS error, only to find that I had fat-fingered >> the hostname in the SAN field :-( >> >> >> >> Cheers >> >> >> >> Ian >> >> >> >> The contents of this message may contain confidential and/or privileged >> subject matter. If this message has been received in error, please contact >> the sender and delete all copies. Like other forms of communication, e-mail >> communications may be vulnerable to interception by unauthorized parties. If >> you do not wish us to communicate with you by e-mail, please notify us at >> your earliest convenience. In the absence of such notification, your consent >> is assumed. Should you choose to allow us to communicate by e-mail, we will >> not take any additional security measures (such as encryption) unless >> specifically requested. >> >> If you no longer wish to receive commercial messages, you can unsubscribe by >> accessing this link: http://www.bennettjones.com/unsubscribe >> _______________________________________________ >> cisco-voip mailing list >> cisco-voip@puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip