locked
Cloud Connector - CCE Certificate RRS feed

  • Question

  • Hi,

    We are deploying CCEs in multiple sites with HA,

    I've a single certs (pfx) with FQDN and SANs entries for all other CCE locations. 

    pfx.

    FQDN: APShanghai.domain.com

    SAN : ApJapan.domain.com

        : ApSingpaore.domain.com

        : ApGermany.domain.com 
          SIP.domain.com

    Cert's FQDN is "APShanaghai'. when I'm deploying  CCE at Singapore location i got the below warning message, but CCe servers are up, Inbound and outbound calls not yet tested,  due to telco issues.

    ________________

    CertUtil: -importPFX command completed successfully.

    WARNING: The subject name "APShanghai.domain.COM" of the certificate does not match the computer fully qualified domain name (FQDN) "APSingapore.domain.com.

    The following certificate was assigned for the type "AccessEdgeExternal

    ________________

    can we use the same certs for all the locations with SAN entries for the locations? I'm wondering Access Edge FQDN is different for other sites and they are in SAN, do we see any issues in this scenario? or do i need to get the certificate separately for all other PSTN sites? 

    Thanks in Advance.

    Regards,
    MS


    Saturday, October 28, 2017 4:15 PM

Answers

  • The certificate mismatched error is in fact expected, however the certificate you have currently is correct.

    I used the same certificate Subject Names/Common Name (SN/CN = some call Common Name, some call Subject Name) and Subject Alternative Names (SANs) for CCE deployments with multi-sites.

    You are good to go.


    • Edited by ThettNaing Saturday, October 28, 2017 5:04 PM
    • Marked as answer by MadhuSri011 Saturday, October 28, 2017 9:49 PM
    Saturday, October 28, 2017 4:50 PM
  • You don't need to have a separate certificate for each PSTN Site. 

    Ref: https://technet.microsoft.com/en-us/library/mt605227.aspx

    "If you want to use a single certificate for all Edge pools deployed in your organization and cannot use a wildcard certificate as defined in option 2, then you will need to include the FQDN for all deployed Edge pools in the SAN name in the certificate."

    Which means:

    You only need 1 single certificate, and it must have 

    Subject Name (SN): Edgepool-1.domain.com

    Subject Alternative Name (SAN): Edgepool-1.domain.com, Edgepool-2.domain.com, Edgepool-3.domain.com, Edgepool-N.domain.com, sip.domain.com

    Same as what you already have:

    FQDN: APShanghai.domain.com

    SAN : ApJapan.domain.com
            : ApSingpaore.domain.com
            :ApGermany.domain.com
            : SIP.domain.com

    So, you are good to go and ready. 


    • Edited by ThettNaing Saturday, October 28, 2017 5:01 PM
    • Marked as answer by MadhuSri011 Saturday, October 28, 2017 9:49 PM
    Saturday, October 28, 2017 4:59 PM

All replies

  • The certificate mismatched error is in fact expected, however the certificate you have currently is correct.

    I used the same certificate Subject Names/Common Name (SN/CN = some call Common Name, some call Subject Name) and Subject Alternative Names (SANs) for CCE deployments with multi-sites.

    You are good to go.


    • Edited by ThettNaing Saturday, October 28, 2017 5:04 PM
    • Marked as answer by MadhuSri011 Saturday, October 28, 2017 9:49 PM
    Saturday, October 28, 2017 4:50 PM
  • You don't need to have a separate certificate for each PSTN Site. 

    Ref: https://technet.microsoft.com/en-us/library/mt605227.aspx

    "If you want to use a single certificate for all Edge pools deployed in your organization and cannot use a wildcard certificate as defined in option 2, then you will need to include the FQDN for all deployed Edge pools in the SAN name in the certificate."

    Which means:

    You only need 1 single certificate, and it must have 

    Subject Name (SN): Edgepool-1.domain.com

    Subject Alternative Name (SAN): Edgepool-1.domain.com, Edgepool-2.domain.com, Edgepool-3.domain.com, Edgepool-N.domain.com, sip.domain.com

    Same as what you already have:

    FQDN: APShanghai.domain.com

    SAN : ApJapan.domain.com
            : ApSingpaore.domain.com
            :ApGermany.domain.com
            : SIP.domain.com

    So, you are good to go and ready. 


    • Edited by ThettNaing Saturday, October 28, 2017 5:01 PM
    • Marked as answer by MadhuSri011 Saturday, October 28, 2017 9:49 PM
    Saturday, October 28, 2017 4:59 PM
  • Thank you So much for the suggestions and support.
    Regards,
    MS

    Sunday, October 29, 2017 10:50 PM
  • Hi,

    Thanks for your sharing, it is really helpful.


    Regards,

    Alice Wang


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 30, 2017 1:35 AM