04-16-2014 07:18 PM - edited 03-19-2019 08:06 AM
Hi All UC Experts,
I just deployed the Expressway VPN-less Jabber solution on my Cisco UC environment. I am thinking the Managing Certificate Revocation Lists (CRLs). Actually, I have not the much more experience about the CRL deployment.
The Cisco Guide just introduced the CRL: http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-1/Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X8-1.pdf
Now, I am using the OpenSSL CA, which is the self-CA for internal usage only.
1. Can I prevent from the cert. error when the users access the Expressway-Edge as using the internal OpenSSL CA? Will not prompt the cert. error if the (CN="Expressway-Edge Public FQDN")?
2. How can I do the best CRL? Actually, the all users would use the Exchange addresses as the login. Should I use the Windows Cert. Server to make the CRL? Is it the CRL controlled by per devices? That mean one user will use the one or more mobile devices, then the admin can revoke the login per device?
3. I discovered the Jabber Client would lock the local cache on the mobile device / Windows PC. Can I make the local cache encryption?
04-17-2014 09:12 AM
Hi Edwin,
1. You can optionally sign the cert using an internal Microsoft CA or 3rd party CA. Page 5 of the guide tells you that. Keep in mind, its not just the Expressway's that need to be signed. You have to sign CUCM Tomcat, Unity Tomcat, IM/P Tomcat and xmpp certs so that you dont get any certificate errors.
2. If you have to do CRL, it would be best to do with a MS PKI infrastructure. CRLs are best done on devices and you will need a mechanism to push down certs down to the individual devices. For mobiles, this can be done with a mobile device management software, for windows PC you could use group policies.
3. Not possible.
HTH
04-17-2014 10:55 PM
For Windows PC using the Group Policies, but the Jabber client would not be set the restriction on the connection sources, that mean anyone have the Jabber client, then he/she can access the UC environment already.
04-18-2014 08:58 PM
Can I do the CRL on the Expressway, like ISE? It is because no any document talk about how to configure the CRL on Expressway.
Publish Certificate Revocation Lists for ISE on a Microsoft CA Server Configuration Example
04-17-2014 10:18 PM
Can I do the CRL on the Expressway, like ISE? It is because no any document talk about how to configure the CRL on Expressway.
Publish Certificate Revocation Lists for ISE on a Microsoft CA Server Configuration Example
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: