Certs

[wpetilli]

I'm about to start upgrading my components as part of my patch cycles and I have some cert questions (everyone's favorite). My Session Managers are all running 6.3.9 and using the demo cert since I upgraded and didn't do a fresh install. After I upgrade my SMGR I guess it's a good time to use SMGR's cert instead of the demo on my SM's. When I go into SMGR and go to security/certificates/authority the screen shows:

Basic Functions for CA : tmdefaultca
Root CA : O=AVAYA, OU=MGMT, CN=default

Download to Internet Explorer Download to Netscape Download pem file Download jks file

Latest CRL: Created 10/31/14 2:14 PM, Expired 11/5/14 1:14 PM, number 1 Get CRL
No Delta CRL have been generated.

Create a new updated CRL : Create CRL

When I choose to view the cert it shows an expiration date of 2024 (10 years). I thought these would be 2 year certs from the doc I've read. Also, what is the expired CRL and what to do w/that?

 

[jimbojimbo]

The System Manager CA cert is valid for 10 years. The certificates you generate with it will be valid for the duration setup in the certificate profiles. This should be where you have 2 years (730 days).

A certificate will never be valid after the expiration date of the issuing CA.

 

[johnofsometrades]

I am not an Avaya expert, but I can comment a little bit on the CRL. A CRL is a certificate revocation list. A certificate authority (CA) should maintain a list of certificates it issued that have been revoked (e.g. if they have been compromised). If you run your own CA then you would be responsible for maintaining this list of revoked certificates. Otherwise, a third-party CA maintains a list which can be queried online via a CRL URL or the Online Certificate Status Protocol (OCSP). Generally speaking, the value of a CRL is somewhat questionable.

My organization is using the default SMGR CA that's good for 10 years and an SMGR-CA-issued security certificate with our SMGR's FQDN that's good for 2 years. The SMs are using built-in certs with subject cn=SM100 and they're valid for 15 (!!) years even though they're using relatively weaker crypto (SHA-1/RSA signature algorithm that's deprecated, and 1024-bit RSA public key).

Whenever I have control over self-signed certificates, I try to make the expiry after my projected retirement date so it becomes someone else's problem

 

[wpetilli]

I'm assuming upgrading SMGR from 6.3.9 - 6.3.17 will not renew these 2 year certs you mention. I did read about SMGR auto-renewing once on 6.3.10 (I've read so many things I can't keep up). I want to replace the demo certs on my Session Manager's and use SMGR. Where do I pull the SMGR from that would apply for this?

 

[johnofsometrades]

@wpetilli, I think you could be referring to this Avaya support document (SOLN201674), or at least it does contain a reference to the 2-year certificate auto-renewal.

https://support.avaya.com/ext/index?page=content&id=SOLN201674

My organization last upgraded SMGR in Jan 2016 and it did change the validity period of the cert to begin on the date on which we did the upgrade, and expiring 2 years from that date.

 

[kyle555]

I think your SM is already allowing connections from certificates that were issued by your SMGR - like it's own seesionmanager.yourdomain.com by default.

You can allow SM to also use the default certs if you do an initTM -d, but it should be allowing connections out of the box from certs issued by your SMGR. You'd basically just go into "trusted certificates" in the inventory for those SMs and remove the demo cert from there.

 

[wpetilli]

When I go into 'configure trusted certs' on 1 of my SM's I do see the demo cert and what looks like the default smgr cert listed. I guess what I'm confused about is using SMGR as the CA for SM and whatever other components. I didn't think the default SMGR cert was what the docs were referring to applying to SM.