Hybrid CMR (aka WeT) Certificate Changes

Dear WebEx/CMR-Hybrid/CMR-Cloud Customer,
To enhance security, on January 20, 2015, Cisco changed to a 4096-bit certificate model
under different root certificate authorities, than used previously.  These certificates
are used to secure traffic to and from the Cloud components and your Edge devices (VCS
Expressway or Expressway-E). This is part of a continuing process to maintain meeting
confidentiality and privacy.
Previously, WebEx had used a certificate that was issued under the Root CA 'DST Root CA
X3' to secure traffic between the customer premises and WebEx.  Your VCS Expressway or
Expressway-E stores the root certificate 'DST Root CA X3' that trusts our previously used
certificates on the WebEx cloud servers. We have revoked this certificate and replaced it
with new certificates that will be issued by up to four different Root authorities. We
need to ensure that your Edge device trusts the new Root certificate authorities in order
support the new WebEx certificates.
Based on customer feedback after our initial Certificate Update Communication sent on
January 9th, 2015, we have subsequently determined that a fourth Certificate for customers
was missing from the communication, and that this additional Certificate is indeed
required. This additional Certificate is listed below as "Root 2." To ensure proper and
private/secure operation of CMR Hybrid/CMR Cloud, customers need to ensure that all four
root certificate authorities below are added to their 'Trusted CA Certificate' list.
Details on how to add CA certificates can be found in the 'Cisco TelePresence VCS
Certificate Creation and Use' Page 13

Current CA's Trusted from WebEx:
   Verisign Certificates:

Full Verisign Root Certificate Package Download:

   Specific required Verisign Certificates downloaded from below link:

*       Root 2
o       'VeriSign Class 3 Public Primary CA' - http://www.symantec.com/page.jsp?id=roots
*       Root 3
o       'VeriSign Class 3 Primary CA - G5' - http://www.symantec.com/page.jsp?id=roots
*       Root 4
o       'VeriSign Class 3 Public Primary CA - G3' -

   QuoVadis Certificate:

*       QuoVadis Root CA2
o       'QuoVadis Root CA 2' -