×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Contact US

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

ASBCE and IPO Certificates

ASBCE and IPO Certificates

ASBCE and IPO Certificates

(OP)
Hello all,

I am having a bit of an issue with Certificates apparently between my IPO: 192.168.1.251 and my ASBCE: 192.168.1.254

I am not sure what Certificate to load into the IPO as it was not mentioned in the document I am following "IP Office SIP Phones with ASBCE"

I loaded this certificate into the IPO:



These are the certificates on my ASBCE



I am getting a "Fatal Error on Connection" between the the IPO and ASBCE - Thoughts?



ACSS

RE: ASBCE and IPO Certificates

(OP)
More errors from the SBCE



ACSS

RE: ASBCE and IPO Certificates

Where did you get the certificate from? You can use the IPO to create an Identity Certificate for the SBCE inside (A-interface) and if you want, also for the outside.(B-interface)



Personally, I use keystore explorer to extract the private key and cert from the P12.

Freelance Certified Avaya Aura Engineer

RE: ASBCE and IPO Certificates

(OP)
G van Hamburg: My setup is an IPO with an Application Server Running VM Pro.

Below is how I created the certificates:

IPO Root Certificate:






IP Office identity certificate:

SANs:
DNS:FQDN
DNS:Our_Domain
IP:192.168.1.251(IPO)
IP:192.168.1.254(ASBCE_Internal)
IP:ASBCE_External
URI:sip:FQDN
URI:sip:Our_Domain
URI:sip:192.168.1.251(IPO)
URI:sip:192.168.1.254(ASBCE_Internal)
URI:sip:ASBCE_External




Identity certificate for the ASBCE:



SANs:
DNS:FQDN
DNS:Our_Domain
IP: ASBCE_External
IP:192.168.1.251 (IPO)



Extracting the ASBCE private key and identity certificate:

























ACSS

RE: ASBCE and IPO Certificates

First of all,

I have no idea why the external SBCE IP and DNS names should be in the IPO identity certificate. An identity certificate represents the identity of the host, nothing more.

My IPO identity certificate has the following:

IP: 192.168.42.1
DNS: ipo.mydomain.com (registrar)
DNS: mydomain.com (sip domain)
URI: sip:ipo.mydomain.com
URI: sip:mydomain.com

I am not sure if 1 of the URI’s could be removed but this is enough to make IX Workplace and SIP phones work both internal and external via SBCE. For other applications, you might need more.

On my server editiion, I create the IPO identity certificate directly. I do not mark ‘Create certificate for different machine’. So after applying the IPO certificate will be renewed automatically.

My A1 SBCE certificate is created by IPO and has noting in it. Of course now you create for a different machine. Machine IP = your A1 and the subject name is in my case sbce-int.mydomain.com. That’s it!

My B1 SBCE certificate is bought from Sectigo and (I have tested and use it in production)contains 2 DNS names.

DNS: ipo.mydomain.com (SIP registrar and One-X portal name)
DNS: mydomain.com (SIP domain)

Please let me know if you follow me sofar, ok? Need to go now.

Freelance Certified Avaya Aura Engineer

RE: ASBCE and IPO Certificates

(OP)
Hi G van Hamburg,

Thank you. I want to make sure I have this correct.

IPO identity certificate:



SAN's:
DNS:FQDN
DNS:Our Domain
URI:sip:FQDN
URI:sip:Our Domain


Identity certificates for the ASBCE (A1)

What Do you name this one? The Avaya Document only outlines creating one Identity Certificate for the ASCBCE which is renamed SBCE_ID.p12 and then Extracting the ASBCE private key and identity certificate. Does that process apply to this certificate?





Identity certificates for the ASBCE (B1)

What Do you name this one? The Avaya Document only outlines creating one Identity Certificate for the ASCBCE which is renamed SBCE_ID.p12 and then Extracting the ASBCE private key and identity certificate. Does that process apply to this certificate?

SAN's:
DNS:FQDN
DNS:Our Domain


ACSS

RE: ASBCE and IPO Certificates

Just search me on Linkedin and email me, ok? If you want I will show you my Lab IPO. I can tell you in 10 minutes what will take me an hour to type.

Freelance Certified Avaya Aura Engineer

RE: ASBCE and IPO Certificates

By the way, your pictures of the A1 and B1 look fine!

The picture of the IPO, do you have a server edition? Because you do not need to check the box “Create for a different machine”. Because the CA is the IPO and renewing the identity cert wil be enough. Otherwise you will download the cert and you have to install it on the IPO again.

O, and when the IPO certificate is renewed, remove the old certificate from your pc. You might have problems connection to 7070 and 7071 but that’s beacuse you trust an old certificate.

Freelance Certified Avaya Aura Engineer

RE: ASBCE and IPO Certificates

(OP)
G van Hamburg: I have an IPO with a VM Pro Application Server, that's why I have it for a different machine. Thank you for pointing that out though.

With the A1 and B1 Certificates, do I need to extract the ASBCE private key and identity certificate like outlined in the Avaya Document? Or do I just load them straight into the ASBCE as is? I named them ASBCE_A1.p12 and ASBCE_B1.p12

ACSS

RE: ASBCE and IPO Certificates

No, You can’t load the P12. You indeed need to extract the certificate and the private key. Make sure you name the certificate and key the same. so ipo-cert.cer and ipo-cert.key

Freelance Certified Avaya Aura Engineer

RE: ASBCE and IPO Certificates

(OP)
G van Hamburg: Do I extract both the A1 and B1 Certificates?

Should I Name them something like:
SBCE_ID_A1.p12
SBCE_ID_B1.p12

And then extract both with the method above and load all 4 to the ASBCE?:
SBCE_ID_A1.cer
SBCE_ID_A1.key

SBCE_ID_B1.cer
SBCE_ID_B1.key

Or am I way off here?

ACSS

RE: ASBCE and IPO Certificates

No, you are correct! That is the way to go!

You could combine A1 and B1 into 1 certificate but I always advice 1 certificate per interface or service.

Also take a look at the free windows tool Key Store Explorer. I think that’s much easier to use then open SSL.

Freelance Certified Avaya Aura Engineer

RE: ASBCE and IPO Certificates

(OP)
G van Hamburg: Added you on LinkedIn.

When I run the process to extract: SBCE_ID_A1.cer and SBCE_ID_B1.cer do I also delete everything from the certificate, only keeping the text from the first:

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----






ACSS

RE: ASBCE and IPO Certificates

That’s the reason I use Key Store Explorer. You can click on the p12, see the cert and only extract that. And yes, at that time you only have the cert.

Freelance Certified Avaya Aura Engineer

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close