Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1485
Views
10
Helpful
7
Replies

Public CA-Signed Cert for B2B?

Brian Carscadden
Level 5
Level 5

‎06-04-2021 06:20 AM

We have an existing Expressway pair that was running Jabber Guest and B2B. We are no longer supporting Jabber Guest, but B2B will remain. As far as I recall B2B doesn't require the E cert to be signed by a public CA. Can someone confirm?

 

Thanks in advance.

0 Helpful
7 Replies 7

Rajan
VIP Alumni
VIP Alumni

‎06-04-2021 07:01 AM

Hi Brian,

 

i dont think so. B2B requires a traversal zone between Expressway E & C servers which uses TLS. So CA signed certificate is needed for that as its a business to business communictaion, the CA signed certs only will be trusted by all clients.

 

//Certificates on the Expressway-E are extremely important, since clients, whether a web browser from an Internet user or another company trying to communicate with your enterprise, must be able to trust the authenticity of the server they're connecting to. Therefore, Expressway-E certificates, in particular, should be signed by a trusted public Certificate Authority (CA) (e.g. Verisign, GoDaddy, etc...).//

 

https://cmslab.ciscolive.com/pod30/webrtc/expwyesetup 

 

 

HTH
Rajan
Please rate all useful posts by clicking the star below and mark solutions as accepted wherever applicable

0 Helpful

Roger Kallberg
VIP
VIP

‎06-04-2021 07:51 AM

As it is other external business that communicate with the B2B you will absolutely need a public CA signed certificate to form the TLS for the call.



Response Signature


0 Helpful

Nithin Eluvathingal
VIP
VIP

‎06-04-2021 08:17 AM - edited ‎06-04-2021 08:19 AM

Expressway E is internet facing device, when communicating outside on internet it require Public CA signed certificate. Because  No devices in internet will trust your internal CA signed or self signed certificates. 

 

Your internal CA or Self signed Root CA details you cannot upload to the all devices in the internet. The public root CA certificates(versign,digicert,sectigo etc..)  comes with the operating system. so any certificate signed by these CA gets trusted by the devices by default. 

 

So on  Expressway, if using it for any feature you should go with Public CA.

 

 



Response Signature


Brian Carscadden
Level 5
Level 5

‎06-04-2021 08:45 AM

Thanks for the replies all, but I'm still skeptical here. For B2B calling I don't think there's a TLS verification to a public CA. Whereas MRA (Jabber clients, MRA phones) and Jabber Guest (Internet browsers) will definitely look to verify the cert's identity. B2B calling is essentially a SIP call.

0 Helpful

Rajan
VIP Alumni
VIP Alumni
In response to Brian Carscadden

‎06-04-2021 08:57 AM

When you say B2B calling, for example you could use that to enable calls between your company Jabber and a Jabber registered in any other company's domain . In this case, you cannot expect the remote client to know about your internal CA and trust it. Hence always Public CA is needed.

 

HTH
Rajan
Please rate all useful posts by clicking the star below and mark solutions as accepted wherever applicable

Nithin Eluvathingal
VIP
VIP
In response to Brian Carscadden

‎06-04-2021 09:34 AM

For non encrypted calls okay, what about encrypted sip calls using tls ?

 

 



Response Signature


0 Helpful

Roger Kallberg
VIP
VIP
In response to Brian Carscadden

‎06-04-2021 09:56 AM - edited ‎06-04-2021 10:03 AM

We have B2B setup and I can assure you that it uses signed certificates.

See it like this, your using an unsecured media, internet, to carry calls. Would it be advisable to send this traffic in the clear so that anyone can intercept it?



Response Signature


0 Helpful
Customers Also Viewed These Support Documents