×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Contact US

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

SBC Certificate Renewal 7.1

SBC Certificate Renewal 7.1

SBC Certificate Renewal 7.1

(OP)
The certificate we apply to our SBC is due to expire soon. This is a cert we generate from our internal PKI. Can someone help confirm this process?

I was going to access the EMS web interface and choose to install a certificate, provide the name, overwrite the existing cert, upload the new .pem file. I also was provided a new .key file that I would flag to upload.

Couple of questions:
1. is that the process so far?
2. do I need to upload a trust chain file if we aren't changing what's on there currently
3. does the key file have to be in .key format or .pem ?

After that I was going to log into the CLI of the active SBC and run the CLIPCS command:
certsync
certinstall certificate_file_name
passphrase
exit

RE: SBC Certificate Renewal 7.1

it's 7.1, so... pray it works.

What I've always done is generate my own key and CSR. I believe in the window have to upload the trust chain with the pem at the time. Think of it like doing an openssl command on the CLI on the backend to make a pkcs12. It's not just going to infer the trust chain file.

RE: SBC Certificate Renewal 7.1

(OP)
I guess, my only question is if I 'have' to choose to upload a chain file. I don't ever recall doing that. I know I have the cert itself and the key file. The root/subca is on a separate section and isn't changing.

RE: SBC Certificate Renewal 7.1

(OP)
I completed this on my 7.1 H/A pair. I did not need to upload the trust bundle file.

Later today, I have to do the same renewal, but on a 7.2 standalone SBC with built in EMS. I know the process from the web is the same. I saw an Avaya document stating that I need to do the following after the upload from the web:

from the CLI: navigate to: /usr/local/ipcs/cert/key type: enc_key filename passphrase

Is that necessary? I don't recall doing this originally. Also, we do not generate the CSR from the SBC.

RE: SBC Certificate Renewal 7.1

On a single server, I don't think so. You sure that enc key isn't for HA?

Either way, do a tls trace and you'll see it doing something stupid if you need it

RE: SBC Certificate Renewal 7.1

(OP)
For the H/A I had to do the CLIPCS / certsync / certinstall name.pem restarted them and the cert seemed good.

For the standby SBC that is a single server, I did use that en_key filename "" Our messaging folks said they don't use passphrases when they generate CSR's. Seemed like that worked.

RE: SBC Certificate Renewal 7.1

well done!

youre reminding me of things I never wanted to remember!

RE: SBC Certificate Renewal 7.1

(OP)
Now they've changed server certs to only have 1 year validity, instead of 2. They just keep piling on the pain. We're close to moving the stuff into AWS, so at least they'll be on brand new boxes.

RE: SBC Certificate Renewal 7.1

I mean, license-wise I don't think anything stops you from moving to 7.2.2.6 or .7 if you have to tough it out for a while and they give you problems.

They work OK once they're up, but getting the older loads working was tough

do df -h and make sure the EMS disk doesn't get full.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close