Exam 300-820 topic 1 question 62 discussion

I meant to put A & E. Sorry.

Jabber works fine with a private CA, and the ExpC can use a private CA. Those should be the right answers.

A. Expressway Core can use private CA signed certificate. > Yes it can use a private CA signed cert. But the Exp-E needs to trust it. Is it best practice? I guess not. Bin there, done that. B. You must upload the root certificates in the phone trust store. > Nope C. Expressway must generate certificate signing request. > No, it doesn't have too (must not). I believe you can use a private key generated and provided by a CA, and upload it manually via SCP. D. Expressway Edge must use public CA signed certificate. > No it must not. Can work with a private CA signed cert. E. The Jabber client can work with public or private CA signed certificate. > Yes it can. It will prompt the user to trust the certificate presented, if the root or intermidiate CA cert is not in the devices trust store. End of story. So A&E correct answers.

I think Collabinski is right. C and D are the answers I would prefer A. Expressway Core can use private CA signed certificate – While technically possible, this is not recommended for MRA, as clients connecting via the Edge would not trust a private CA. E. The Jabber client can work with public or private CA signed certificate – This is only partially true. The Jabber client can trust a private CA signed certificate if the root CA certificate is manually installed on the device, but for MRA via the Edge, a public CA is required for seamless operation.

A and D

Which two statements about Mobile and Remote Access certificate are true? (Choose two.) A. Expressway Core can use private CA signed certificate. B. You must upload the root certificates in the phone trust store. C. Expressway must generate certificate signing request. D. Expressway Edge must use public CA signed certificate. E. The Jabber client can work with public or private CA signed certificate.

https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-9/Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X8-9.pdf

The only server that is really required to be signed by a public CA is the Expressway-E. This is the only server that clients will see the certificate from when singing in via MRA therefore using a public CA will ensure that users do not have to manually accept the certificate. Certificate Generation Overview X.509 certificates may be supplied from a third party, or may be generated by a certificate generator such as OpenSSL or a tool available in applications such as Microsoft Certification Authority. Third-party certificates supplied by recognized certificate authorities are recommended, although Expressway deployments in controlled or test environments can use internally generated certificates. Certificate generation is usually a 3-stage process: ■ Stage 1: generate a private key ■ Stage 2: create a certificate request ■ Stage 3: authorize and create the certificate

I think C & D are correct. https://www.cisco.com/c/en/us/support/docs/unified-communications/expressway/213872-configure-and-troubleshoot-collaboration.html

I agree with the answers below. You can load a cert without a CSR as long as you also load the private key (you do this in clustering a lot), and you can use a private CA on the E as long as you're not going to have physical phones running through it.

Answer is A and D. Expressway C can use a public/private. Expressway E must use a private

answer should be A and D. For C, I think the key work is "can" or "must"