McDewey

Multi-vendor documentation library · semantic search · MCP endpoint at /mcp

Page 32

↗ View in doc context
page
32
source
unity-connection/v15/os-admin/os-admin.md
chunk_id
unity-connection::v15::os-admin::os-admin::27

Using Third-Party CA Certificates Single-server and Multi-server Certificates Overview As the name suggests, Single-server certificate contains single FQDN which identifies the trust for that FQDN only. The single FQDN or domain is present in Subject Alternative Name (SAN) extensions. If there are multiple servers in a cluster, then the system requires the generation of an equal number of X.509 certificates, one for each server. The system uses a multi-server certificate to identify the trust for multiple servers or domains or sub-domains. The SAN extensions of a multi-server certificate contain multiple FQDNs or domains. For telephony integration, multi-server SAN certificate is supported only with SIP integration. However, with SCCP integration, only single-server certificate is supported. Note The following table describes the basic differences between single-server and multi-server certificates. Table 10: Configuration Comparison of Certificates Multi-server certificate Single-server certificate It contains multiple FQDNs or domains present in SAN extensions. It contains a single FQDN or domain in either the CN field and/or SAN extensions. A single certificate identifies multiple servers. The system uses a single certificate for each server in a cluster. Since this certificate covers only one public and private key pair common to all servers, it requires secure transfer of same private key to all the servers in a cluster along with the certificate. If the private key is compromised on any server, the certificate and private key needs to be regenerated for all the servers. The administrator regenerates the certificate and private key on each individual server in situations such as certificate expiry, private key compromise, etc. There is less overhead for the administrator in managing multi-server certificates since he or she performs the steps only once on a given server, and the system distributes the associated private key and signed certificates to all the servers in the cluster. Generation of single server certificate can become an overhead for the administrator in a large cluster because the administrator needs to perform steps such as generate Certificate Signing Request (CSR), send CSR to CA for signing, upload signed certificate etc for each of the servers in the cluster. Cisco Unified Communications Operating System supports certificates that a third-party Certificate Authority (CA) issues with PKCS # 10 Certificate Signing Request (CSR). The following table provides an overview of this process, with references to additional documentation: Cisco Unified Communications Operating System Administration Guide for Cisco Unity Connection Release 15 26 Security Using Third-Party CA Certificates