×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Contact US

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

SMGR C/A

SMGR C/A

(OP)
The favorite topic of everyone.. certs. We are about to move forward with a complete refresh and the topic of certs has come up. Our security teams mandate the use of our internal PKI for all infrastructure. With that comes having to set reminders for elements like servers for the renewal process. They've also shortened the life span of the certs to 13 months. We brought back to the table the use of SMGR as the C/A for the Avaya stack or potentially made a subCA of our current PKI. I'm not finding this documented, but does using SMGR in these fashions automate the stacks renewal process? And does it have the flexibility to shorten the cert validity periods to the 13 months?

RE: SMGR C/A

You can change the validity period. The EJBCA is basically a canned open source CA, so you can do lots with it. Not that Avaya would support you in using it in weird ways, but it is a fully functional CA.

You can... https://downloads.avaya.com/css/P8/documents/10104...

I'd leave it well enough alone and use SMGR only for element management and use your own on the interfaces touched by client endpoints - SM100 etc

RE: SMGR C/A

(OP)
I'm surprised you say that. I'd have thought the opposite.

RE: SMGR C/A

(OP)
I'm reading alot about utilizing a public cert on the SBC and internal stuff everywhere else. I see how a public cert on the sbc makes it way simpler for windows clients and ios devices, but how does that apply to remote hard phones. Especially where those get an identity cert and do mutual auth.

RE: SMGR C/A

If you have remote hard phones thru the SBC, you can still have an identity cert per phone and have the SBC force mutual TLS and only trust identity certs from your CA.

The SBC can offer GoDaddy but still require an identity cert from your PKI to do a handshake.

I'd put a GoDaddy on the SM, PS, AADS interfaces on the inside. Otherwise you'll pull your hair out making iOS happy with what SMGR provides to SMs and stuff.

The 1 cert can have many subject alternative names. A dozen isn't going to hurt anything.

Go check this out: https://1000-sans.badssl.com/
DNS Name=1000-sans.badssl.com
DNS Name=wowmoarsans2.badssl.com
DNS Name=wowmoarsans3.badssl.com
DNS Name=wowmoarsans4.badssl.com
DNS Name=wowmoarsans5.badssl.com
DNS Name=wowmoarsans6.badssl.com
DNS Name=wowmoarsans7.badssl.com

RE: SMGR C/A

Public Certs exist on some newer hard phones. You can enable them through 46xxsettings. You can see the list of these CAs in Appendix B of this document on the J100 phones.
https://downloads.avaya.com/css/P8/documents/10105...

I don't think it exists for 96x1 series though.

RE: SMGR C/A

(OP)
I guess we can continue to use our own PKI, even on the SBC since our laptops and mobile devices have our root and subCA's. The SCEP identity cert process is a bit of a drag and would have loved to have been able to simplify that. The public cert seems mostly beneficial to allow non company devices to work.

RE: SMGR C/A

You can offer the public cert and require the other side to offer one of your certs the SCEP enrollment provided.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close