I'm preparing to deploy remote 9611G SIP hard phones to some users. We initially provision the phones internally where they are set to use SCEP to be provided an identity certificate from our internal PKI infrastructure. The certificates have a 2 year life and once deployed we want to ensure they will automatically pull an updated certificate before expiration. I see in the 46xx file a setting for MYCERTRENEW. I understand what that settings means, but will the phone in fact trigger a request for a new cert or will it just flag a warning? If it's the latter is anyone currently auto renewing certs for these? A major pain point for us is when certificates expire the phone becomes unusable and the user has to be provisioned a new one, which is not welcomed.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
9611G Identity Certificate Renewal
- Thread starter trilogy8
- Start date
Ooh. maybe you nailed it.
AFAIK, Windows and everything shows you the cert "valid from/to" in local time, but the spec should be to do it in GMT.
So...lets think...
It's March 8, 8h00 EST (GMT-5), that's 13h00 GMT, and 21h00 (GMT+8) in Asia if 13 hrs ahead
Cert is valid from March 8 13h00 GMT->March 9 13h00GMT
Renewing every 15/20 mins at 1% is fine, that's about 1% of a day no matter what
13h27min = 807min. A day is 1440 min.
The phone should be renewing 1296 minutes after getting a cert and not 807 minutes. That's 489/490 minutes, or 8hrs10mins early.
You'd expect the phone to renew 21h36min after it got the cert, not 13h27min
So, if the phone was stupid and got it's cert at 13h00GMT/21h00GMT+8, and thought it was only good from 21h00-->13h00 the next day (16 hours or 960minutes), then it would renew at 90% of 960min, or 864 minutes later.
If the phone is in GMT+7 or 12 hours ahead of GMT-5...
The cert would be good from 20h00 -->13h00, that's 17 hours, 1020 minutes, 918min till renew, which is 15 hours 18 mins.
If the phone is in GMT+9
The cert would be good from 22h00-->13h00, that's 15 hours, 900mins, 810 minutes to renew. And you're at 807 like clockwork, eh?
If your CA backdates the cert a few minutes to account for slow PKI clients and you're phones are in GMT+9, I think we might have figured it out.
If the phone has a bug where it considers the cert's 'valid from' expressed in GMT as "local time" and "valid to" in true GMT, then the phone would renew sooner.
Here's what you can do - take a settings file, set the timezone of a test phone in Asia to GMT, see if it behaves.
Set the RENEW of a GMT+9 phone to "50" - if I'm right, then it should be "half" of the 900 minutes - 450min, or 7 and a half hours.
AFAIK, Windows and everything shows you the cert "valid from/to" in local time, but the spec should be to do it in GMT.
So...lets think...
It's March 8, 8h00 EST (GMT-5), that's 13h00 GMT, and 21h00 (GMT+8) in Asia if 13 hrs ahead
Cert is valid from March 8 13h00 GMT->March 9 13h00GMT
Renewing every 15/20 mins at 1% is fine, that's about 1% of a day no matter what
13h27min = 807min. A day is 1440 min.
The phone should be renewing 1296 minutes after getting a cert and not 807 minutes. That's 489/490 minutes, or 8hrs10mins early.
You'd expect the phone to renew 21h36min after it got the cert, not 13h27min
So, if the phone was stupid and got it's cert at 13h00GMT/21h00GMT+8, and thought it was only good from 21h00-->13h00 the next day (16 hours or 960minutes), then it would renew at 90% of 960min, or 864 minutes later.
If the phone is in GMT+7 or 12 hours ahead of GMT-5...
The cert would be good from 20h00 -->13h00, that's 17 hours, 1020 minutes, 918min till renew, which is 15 hours 18 mins.
If the phone is in GMT+9
The cert would be good from 22h00-->13h00, that's 15 hours, 900mins, 810 minutes to renew. And you're at 807 like clockwork, eh?
If your CA backdates the cert a few minutes to account for slow PKI clients and you're phones are in GMT+9, I think we might have figured it out.
If the phone has a bug where it considers the cert's 'valid from' expressed in GMT as "local time" and "valid to" in true GMT, then the phone would renew sooner.
Here's what you can do - take a settings file, set the timezone of a test phone in Asia to GMT, see if it behaves.
Set the RENEW of a GMT+9 phone to "50" - if I'm right, then it should be "half" of the 900 minutes - 450min, or 7 and a half hours.
- Thread starter
- #22
- Thread starter
- #23
so much for that.. I didn't get 21h36m, but got about 15h43m. Better. I guess it's something I can probably just move forward with. When these get moved to the normal 2 year certs this should be barely noticeable. Going to try extending the cert validity to about 4 days to see if this time remains consistent or extends further out.
- Status