Please could someone help shed some light on Jabber certificates for me, it would be massively appreciated? I have a more complex setup than I normally deploy, where there is an existing CUCM/CUC 11.5 cluster, but now the customer has requested Jabber and MRA deployment so I've deployed IMP and Expressway servers that are not currently utilised. As they have no internal CA, all the certificates will need to be signed by an external authority, likely to be DigiCert.
The domain that the CUCM/CUC are on is "company.local", which is there internal domain, no external services.
Jabber is set to use Directory URI, where email addresses are used, which are "company.com" & "company.co.uk".
As company.com and company.co.uk have servers externally so we can't host Expressway DNS records for these on the internal DNS servers for these domains, so I believe this means that I will now have to add a subdomain that can be used on internal and external DNS servers. I was going for "cisco-uc.company.com".
So, assuming there are no holes in the above, please could I have some help with what names and domains that need to be in the signed certificates as I'm trying to minimise costs of the certificate signings?
- Multi-SAN Tomcat (CUCM+CUC) & CallManager certificates
- I understand I need to include all the FQDN names of all the servers.
- Do I need to include the the multisan name in the cert? eg for CUCM cluster - ucmpub-ms.company.local
- Do I need to include a dns name for the parent domain? eg company.local
- For the CUP-XMPP certificates
- I understand I again need the FQDN of the IMP servers
- This is the main part I'm stuck with, what domains do I need to include here? Do I really need to have all domains (.local,.co.uk,.com,cisco-uc.company.com) here as the CSR generated suggests? That makes the certificate stupidly expensive. Also what happens if I more users from another domain are added like "company2.com"?
- For the Expressway Edge
- I understand I need the cluster FQDN and the server FQDNs, along with the "collab-edge.cisco-uc.company.com", could you confirm if this is correct?
Any input on these would be make a huge difference, thanks in advance.