Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

SBC Certificate Renewal 7.1

Status
Not open for further replies.
wpetilli

wpetilli

Technical User
May 17, 2011
1,877
US
The certificate we apply to our SBC is due to expire soon. This is a cert we generate from our internal PKI. Can someone help confirm this process?

I was going to access the EMS web interface and choose to install a certificate, provide the name, overwrite the existing cert, upload the new .pem file. I also was provided a new .key file that I would flag to upload.

Couple of questions:
1. is that the process so far?
2. do I need to upload a trust chain file if we aren't changing what's on there currently
3. does the key file have to be in .key format or .pem ?

After that I was going to log into the CLI of the active SBC and run the CLIPCS command:
certsync
certinstall certificate_file_name
passphrase
exit
 
Sort by date Sort by votes
it's 7.1, so... pray it works.

What I've always done is generate my own key and CSR. I believe in the window have to upload the trust chain with the pem at the time. Think of it like doing an openssl command on the CLI on the backend to make a pkcs12. It's not just going to infer the trust chain file.
 
Upvote 0 Downvote
I guess, my only question is if I 'have' to choose to upload a chain file. I don't ever recall doing that. I know I have the cert itself and the key file. The root/subca is on a separate section and isn't changing.
 
Upvote 0 Downvote
I completed this on my 7.1 H/A pair. I did not need to upload the trust bundle file.

Later today, I have to do the same renewal, but on a 7.2 standalone SBC with built in EMS. I know the process from the web is the same. I saw an Avaya document stating that I need to do the following after the upload from the web:

from the CLI: navigate to: /usr/local/ipcs/cert/key type: enc_key filename passphrase

Is that necessary? I don't recall doing this originally. Also, we do not generate the CSR from the SBC.
 
Upvote 0 Downvote
On a single server, I don't think so. You sure that enc key isn't for HA?

Either way, do a tls trace and you'll see it doing something stupid if you need it
 
Upvote 0 Downvote
For the H/A I had to do the CLIPCS / certsync / certinstall name.pem restarted them and the cert seemed good.

For the standby SBC that is a single server, I did use that en_key filename "" Our messaging folks said they don't use passphrases when they generate CSR's. Seemed like that worked.
 
Upvote 0 Downvote
well done!

youre reminding me of things I never wanted to remember!
 
Upvote 0 Downvote
Now they've changed server certs to only have 1 year validity, instead of 2. They just keep piling on the pain. We're close to moving the stuff into AWS, so at least they'll be on brand new boxes.
 
Upvote 0 Downvote
I mean, license-wise I don't think anything stops you from moving to 7.2.2.6 or .7 if you have to tough it out for a while and they give you problems.

They work OK once they're up, but getting the older loads working was tough

do df -h and make sure the EMS disk doesn't get full.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

carldest
  • Locked
  • Question
Certificate alarm
Replies
0
Views
302
carldest
carldest
jesryll27
  • Question
SIP trunking between Audiocodes SBC M800 to Avaya CM7
Replies
1
Views
77
dialtonebone
dialtonebone
Jerom
  • Locked
  • Question
AAMS Certificate Renewal
Replies
0
Views
216
Jerom
Jerom
fondog2
  • Locked
  • Question
SBC Signal Manipulation script 1
Replies
4
Views
1K
JefferP
JefferP
fondog2
  • Locked
  • Question
ASM to SBC link down
Replies
2
Views
764
fondog2
fondog2

Part and Inventory Search

Sponsor

Back
Top