This is bit of a continuation on my previous post SSL Certificates for Jabber where I have mentioned the main downside to using public CA for your certificates is the cost. It has probably crossed your mind if you could maybe use a wildcard or SAN certificate. With the wildcard the answer is simple – no. Refer to enhancement Cisco bug ID CSCta14114.

SANs are supported but won’t really help you with reducing the number of certificates you need to buy. You can use them if you’d like your clients to use multiple URL’s to access the same server – for example internal and external domains but you still need to create a CSR on each server and then submit a corresponding CA certificate for each one. Unfortunately there’s no way of importing the SAN certificate’s private key to either the IM and Presence or CUCM servers as you might be used to with Windows IIS or other devices.

This all makes using your Enterprise CA as a more attractive option all together with the only sticking point being devices not joined to the domain (particularly mobile devices) and how to make them trust your internal CA. For some people this may not be an issue and you might be quite happy accepting the certificate warning initially but I’m yet to find a straight forward solution to this.