I have finished few weeks ago a Collaboration Edge deployment through Expressway for a customer.
We used in this deployment the new “free” Certificate Authority aka Let’s Encrypt.
In fact, this authority is supported by 7800/8800 series IP phones as stated by the Certificate Authority Trust List document.
Many websites provides simplified management and generation of Let’s Encrypt certificate (native one requires API integration etc. a hussel!), we used sslforfree.com for instance.
We have generated the certificate for ONLY the FQDN of Expressway as Subject Name. We did not put anything as SAN, no top-level domain especially. (Expressway version is 8.7.3 but it should work for later versions)
And it worked like a charm. One last thing is that the certificate has to be regenerated each 3 months so that it keeps current.
He’s my conclusion in two points:
- Let’s Encrypt is trusted by Cisco IP phones and can be used as the Certificate Authority for Expressway-E
- Putting ONLY the FQDN of Expressway in the certificate is pretty enough to make phones work outside the corporate LAN