I'm running SMGR 7.0.x and I've seen an event in log referencing weblm legacy cert expiring. We install our own CA's trusted certs in the trust stores of SMGR and ASM and use our own Identity certs on ASM. Looking through the managed elements it shows the weblm legacy cert is expired. I gather it's not relevant because nothing has went crackers. I went through the managed elements and in the SMGR trust store I do see a few of the following that have long expired.
Used for validating TLS server identity certificates TM_OUTBOUND_TLS CN=Avaya Client Services Users CA, OU=Avaya IT, OU=Class 2 Managed PKI Individual Subscriber CA, OU=Symantec Trust Network, O="Avaya, Inc.", C=US
Used for validating TLS server identity certificates TM_OUTBOUND_TLS CN="Avaya CA C=US O=Avaya"
Used for validating TLS server identity certificates TM_OUTBOUND_TLS CN=ESDP CA, OU=Avaya Global Services, OU=Class 2 Managed PKI Individual Subscriber CA, OU=Terms of use at (c)06, OU=VeriSign Trust Network, O="Avaya, Inc.", C=US
Used for validating TLS server identity certificates TM_OUTBOUND_TLS CN=ESDP CA, OU=Avaya Global Services, OU=Class 2 Managed PKI Individual Subscriber CA, OU=Terms of use at (c)06, OU=VeriSign Trust Network, O="Avaya, Inc.", C=US
Used for validating TLS client identity certificates TM_INBOUND_TLS_PEM CN=ESDP CA, OU=Avaya Global Services, OU=Class 2 Managed PKI Individual Subscriber CA, OU=Terms of use at (c)06, OU=VeriSign Trust Network, O="Avaya, Inc.", C=US
Used for validating TLS client identity certificates TM_INBOUND_TLS CN=Avaya Client Services Users CA, OU=Avaya IT, OU=Class 2 Managed PKI Individual Subscriber CA, OU=Symantec Trust Network, O="Avaya, Inc.", C=US
Used for validating TLS client identity certificates TM_INBOUND_TLS CN=ESDP CA, OU=Avaya Global Services, OU=Class 2 Managed PKI Individual Subscriber CA, OU=Terms of use at (c)06, OU=VeriSign Trust Network, O="Avaya, Inc.", C=U
Again, nothing has gone crackers on the system and these above certs expired years ago.
I raised a ticket with Avaya and they are pointing at a PSN where they need to run a script that does something with auto-renewal of certs. Is this necessary to do based on what I'm seeing? The engineer is saying they cannot do this out of hours/weekend and I'm concerned whatever this script is going to do will blow up the certs we installed on this. Anyone face this before?
Used for validating TLS server identity certificates TM_OUTBOUND_TLS CN=Avaya Client Services Users CA, OU=Avaya IT, OU=Class 2 Managed PKI Individual Subscriber CA, OU=Symantec Trust Network, O="Avaya, Inc.", C=US
Used for validating TLS server identity certificates TM_OUTBOUND_TLS CN="Avaya CA C=US O=Avaya"
Used for validating TLS server identity certificates TM_OUTBOUND_TLS CN=ESDP CA, OU=Avaya Global Services, OU=Class 2 Managed PKI Individual Subscriber CA, OU=Terms of use at (c)06, OU=VeriSign Trust Network, O="Avaya, Inc.", C=US
Used for validating TLS server identity certificates TM_OUTBOUND_TLS CN=ESDP CA, OU=Avaya Global Services, OU=Class 2 Managed PKI Individual Subscriber CA, OU=Terms of use at (c)06, OU=VeriSign Trust Network, O="Avaya, Inc.", C=US
Used for validating TLS client identity certificates TM_INBOUND_TLS_PEM CN=ESDP CA, OU=Avaya Global Services, OU=Class 2 Managed PKI Individual Subscriber CA, OU=Terms of use at (c)06, OU=VeriSign Trust Network, O="Avaya, Inc.", C=US
Used for validating TLS client identity certificates TM_INBOUND_TLS CN=Avaya Client Services Users CA, OU=Avaya IT, OU=Class 2 Managed PKI Individual Subscriber CA, OU=Symantec Trust Network, O="Avaya, Inc.", C=US
Used for validating TLS client identity certificates TM_INBOUND_TLS CN=ESDP CA, OU=Avaya Global Services, OU=Class 2 Managed PKI Individual Subscriber CA, OU=Terms of use at (c)06, OU=VeriSign Trust Network, O="Avaya, Inc.", C=U
Again, nothing has gone crackers on the system and these above certs expired years ago.
I raised a ticket with Avaya and they are pointing at a PSN where they need to run a script that does something with auto-renewal of certs. Is this necessary to do based on what I'm seeing? The engineer is saying they cannot do this out of hours/weekend and I'm concerned whatever this script is going to do will blow up the certs we installed on this. Anyone face this before?