×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Cannot install p12 device certificate on 1120e

Cannot install p12 device certificate on 1120e

Cannot install p12 device certificate on 1120e

(OP)
Hello all,

I am trying to install a device cert on 1120e sets using [DEV_CERT} section in the config file. When rebooted, the phone asks for a password for the p12 file, however, in the debug shell I get:

PKI_X509_LoadData: No key usage found
PKI_PKCS12_FindDeviceCert: Certificate is expired (-8)
PKI_PKCS12_ExtractDeviceCert: Unable to find device cert from PKCS12 file (-8)

The p12 is fine. The certificate is there, it is not expired and has key usage info. One thing I noticed in the log files is they are all marked from 2002, so I think there might be an an issue with the time being out of sync and it thinking that the cert isn't yet valid. Is there a way to set a NTP server or something? The set gets its time correctly from the BCM once it's finished starting up.

Much thanks for any help!

RE: Cannot install p12 device certificate on 1120e

What firmware are you using for the 1120e sets?.

Firebird Scrambler

Nortel & Avaya Meridian 1 / Succession & BCM / Norstar Programmer

Website = http://somertel.net
linkedin

RE: Cannot install p12 device certificate on 1120e

(OP)
Unistim Release 5.5.10 0624c98

RE: Cannot install p12 device certificate on 1120e

(OP)
I didn't know C99 was released, just got it uploaded and it works fine. It did not solve the cert issue. However, I did get it fixed. I have no idea if it was just multiple reboots that did it, but I changed the subnet of the sets temporarily to the one the TFTP server is on, and then it worked. I have no idea why that would solve it since it was already reading other config files just fine, but anyways, that appears to have done it.

Thanks for your help Firebird!

RE: Cannot install p12 device certificate on 1120e

Excellent news Noreth.

Just a daft question, but what method did you use to update the firmware as I tried using a TFTP Server and also after putting the file directly into the BCM's folder.

I was trying to update my 1140e phone. I eventually managed to get the *C98 to load in OK after I had reverted the firmware back to *C84 (I think?).

Any help would be appreciated please?. I can send the other *C99 files if you want them.

The 0625C99.bin is attached.

Firebird Scrambler

Nortel & Avaya Meridian 1 / Succession & BCM / Norstar Programmer

Website = http://somertel.net
linkedin

RE: Cannot install p12 device certificate on 1120e

(OP)
I just used TFTP and it worked without any issues. Unfortunately, I don't have access to a 1140e to test 25C99 with, so I don't know if I can help much. Have you tried setting download to FORCED rather than AUTO in the 1140e.cfg file?

RE: Cannot install p12 device certificate on 1120e

noreth, you did not mention what model and release BCM you are on.

Try first downgrading to one below 0625C98

I can confirm I get the same Auth Fail message on my test set - Avaya 1140e with 025C94 which is the last supported firmware for BCM.
I am on BCM50 Release 6 with the last supported patches - Desktop 005 and System 022.
I tried both tftp server and uploading to the BCM with same error.



________________________________________


=----(((((((((()----=
www.curlycord.com
Toronto, Canada

Add me to LinkedIN

RE: Cannot install p12 device certificate on 1120e

(OP)
I have a BCM 450 Release 6. I have never looked into the patches, I just could find that it has version 12-2 for core-telephony and version 003.201101-2 for the "SU.system".

I upgraded from C98 to C99 without any issues. Perhaps it's just an issue with the 1140e?

RE: Cannot install p12 device certificate on 1120e

Could be, or a certain release of it...my 1140e is Avaya branded NTYS0FBFE6
Let us know which one you have.

As for patches for the 450 R6 my notes show these are the last ones generated:

BCM450.R600.SU.System-022
BCM450.R600.SU.Desktop-005
BCM450.R600.UTPS-138-1
BCM450.R600.R600.FPGA-78

Example of out of date...
Your Core 12-2 is now at 128 (13th release), all of them are inside the BCM450.R600.SU.System-022 patch.

________________________________________


=----(((((((((()----=
www.curlycord.com
Toronto, Canada

Add me to LinkedIN

RE: Cannot install p12 device certificate on 1120e

(OP)
My 1120e is NTYS03BEE6

I haven't updated my BCM with the latest updates since I'm not authorized with Avaya to download the patches sad. Only the phone firmware is available to the public sadly.

I will have a 1140e in a couple weeks so I will let you know if my luck varies with the firmware.

RE: Cannot install p12 device certificate on 1120e

Some of us do have them on our sites/ftp but links not posted in public for that file size.

________________________________________


=----(((((((((()----=
www.curlycord.com
Toronto, Canada

Add me to LinkedIN

RE: Cannot install p12 device certificate on 1120e

(OP)
I've spent way too much time troubleshooting this phone…

I first experienced the same problems that you both did. I upgraded from C93 to C98 with no problem. I originally tried to upgrade from C93 to C99 but I got auth failed. Same result when trying to do C98 to C99.

However, I was finally able to get to C99 by going from C93 to C98 to C99 successively. Each time it started writing the firmware, I changed the cfg file firmware on my tftp server to C98 and then C99, so the phone did not ever fully booted until C99 had finished downloading.

Here is the debug output when it downloaded C99:

Checking CFG file authentication
Automatic authentication failed -4
Security policy action for base file = 2
================== Checking Security finished: SECURITY_SUCCESS_NO_AUTH
1140e.cfg was authenticated successfully!
Downloaded NUM bytes= 259
----------------------------------------
[FW]
DOWNLOAD_MODE AUTO
VERSION 0625C99
FILENAME 0625C99.bin
PROTOCOL TFTP
SERVER_IP 10.0.1.9
============= end Section Tree =============
callbackFunction START_EXECCFG
procSectionsTree::======== start executing of the [FW] section =====
cmpVersions(): AUTO
cmpVerFW():: Curr=0625C98, New=0625C99
cmpVerFW()::Download New
manCode is 0x00c2
newFWver is C99
callbackFunction Section: [FW], filename: 0625C99.bin
UI portion of FW download, status : 4
PrepareDownloadBuffer: using existing buffer (size=28019kb, needed=4608kb)
procCurrentFileForSection: 28692464 bytes have been allocated for firmware downloading, buffer address = 82044BD0
callbackFunction UNKNOWN
resolveServerName:: do nothing for [10.0.1.9]
Bytes: 3766760
Total 3766760 bytes have been downloaded from TFTP server.


!!!! downloadFile::Downloaded OK = 3766760 bytes
##### Authenticating firmware using PKI signature with block ID 0x56215ca2... #####
[Avaya Inc.][Avaya File Signing Authority 2013]
Expires : SUN MAY 22 12:25:37 2023 - (Valid)
Serial : 0x65
********** Firmware file was authenticated successfully.
callbackFunction PROCESS_EXESEC
LED is set
Upgrade from new memory MM01 to new memory map MM01
cc5a367a cc5a367a
Message: Image has checked.
newFWver is C99
manCode is 0x00c2
Message: Write to address bfc20000
Message: Recheck checksum in flash.
Flash checksum OK.
6a9b225f 6a9b225f
Message: Image has checked.
newFWver is C99
manCode is 0x00c2

Notice there is no "SECURITY_MODE 0" in the cfg file and I found it kept throwing errors so I just ended up removing it.

My thinking is that it is an issue with authenticating the PKI as I noticed when I tried installing from C98 that it said the PKI was expired. This would also explain my issues downloading the p12 file.

I'm not sure when the firmware broke because I just chose C93 randomly, but there is an issue with the phone getting its time in sync with firmware C98 as I encountered the same issues trying to download the p12 file to the 1140e phone with C98 and was only able to download it with C93. Oddly enough, I was getting bad signature errors from my radius server with C93 that disappeared when I went back to C98 after the cert was downloaded.

Let me know if I missed any details or if you have any theories, but hope this works for you!

RE: Cannot install p12 device certificate on 1120e

This really is interesting and a great thanks for confirming that there was an issue with the 1140e 0625C99.bin software when using it as it should have been.

I shall give this another go shortly. Thanks so much for taking the time to look into it. It is very much appreciated.
A star from me.

Firebird Scrambler

Nortel & Avaya Meridian 1 / Succession & BCM / Norstar Programmer

Website = http://somertel.net
linkedin

RE: Cannot install p12 device certificate on 1120e

Hi everyone: Someone directed me to this thread from the UCx forum. I've got a bunch of 1140e's running on C8Q firmware from Nov. 2012. I've tried everything I can think of to upgrade the firmware, and I keep getting the Auth. Fail message. I tried going to C93, no luck. I tried a smaller jump to C8T, and no luck either. Has anyone been successful upgrading to the latest firmware? I'd be happy to have C98, but I can't get it to load no matter what I try. Thanks for any help or insights!

-Michael

RE: Cannot install p12 device certificate on 1120e

The trick is to revert your software back to the Nortel release and then go to the *C98.bin version.
I used a TFTP server to do it.

My question is how do you update the certificate on the IP phone?. The reason I'm asking is that I've never done it before and I can't upgrade to *C99.bin.

Firebird Scrambler

Nortel & Avaya Meridian 1 / Succession & BCM / Norstar Programmer

Website = http://somertel.net
linkedin

RE: Cannot install p12 device certificate on 1120e

(OP)

Quote (Firebird Scrambler)

My question is how do you update the certificate on the IP phone?. The reason I'm asking is that I've never done it before and I can't upgrade to *C99.bin.

Is your set branded Nortel or Avaya? Mine is Avaya and the Avaya root CA does not expire until 2033. I assume yours is expired and that’s why you’re asking?

RE: Cannot install p12 device certificate on 1120e

Thanks for repling back Noreth. All my 1140e sets are branded Nortel.

Firebird Scrambler

Nortel & Avaya Meridian 1 / Succession & BCM / Norstar Programmer

Website = http://somertel.net
linkedin

RE: Cannot install p12 device certificate on 1120e

(OP)
Now this is just a random thought..

Have you tried installing the SIP firmware and then going back to Unistim? Maybe going from SIP to unistim would change something.

I wonder because all my sets came with SIP firmware originally and I’ve been successful with installing C99.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close