In order to work in MRA scenarios Cisco Expressway-E servers need to have certificates signed by some Public Certificate Authority. Here is a cheatsheet on how to issue such a certificate for two Expressway-E servers working in HA pair.

First of all: Wildcard certificates are not supported and certificates signed by private CA aren’t supported either. You will need an SSL certificate with a set of Subject Alternative Names.

One certificate is sufficient for two Expressway-E servers working in HA pair. The parameters I typically use are the following:

CN = connect.customer.com

SAN = connect.customer.com, expwye1.customer.com, expwye2.customer.com, collab-edge.customer.com

Where

connect.customer.com is an URL that will be used to connect to Expressway-E cluster from the outside world;

expwye1.customer.com is Expressway-E server 1 outside DNS Record

expwye2.customer.com is Expressway-E server 2 outside DNS Record

Then the same certificate can be loaded on both Expressway-E servers.