J179 phones are showing "Acquiring Services" after certificate was regenerated 1

You should use a certificate authority that generates the certificates and avoid using the self signed certificates from IPO security settings.

So, any client that's using Avaya self signed certificate will have to reset the phones unless they get CA certs?

Correct

Thank you for confirming.

Dumb question, a "real certificate" is all great but what if they are a small company without a domain or website and even worse without proper IT to do split domain settings within their network.
What certificate would work there?

You can have certificates that cover just IPs and you can use an Application server to generate the certificates. It can be a virtual one that is „powered“ down all the time and only booted to generate certificates. You can also run XCA on your computer as CA to generate the certificates.

Thanks derfloh
have I ever mentioned that I hate certificates?
The apps server generated certs are also self signed so what would be the difference if they are IP Office generated? The apps server generated ones also don't have a proper cert path that would verify its validity.
or do I just not get it?

The app server has an inbuilt CA that can generate certificates for other devices but also for itself. The chain is always the generated server certificate and the issuing CA certificate. Even if the App Server generates a certificate for itself there are two different certificates. The CA certificate (root certificate) withstands bigger lifetime (usually 7-10 years) AND the server certificate that is used by the running services (IPO, Webserver, 1XP, WebRTC, …) with a lower lifetime of usually not more than 13 month. The clients trust the CA (certificate) and all servers that use certificates generated by that CA, as long as the correct SANs are set. If the CA stays the same and generates a new certificate for the service, the client will go on to trust the server.

BUT… this is only the case if you create the certificates in WebControl 7071). In security settings (regardless if IP500 or Linux systems) you can only generate real self signed certificates. Those don’t have a chain. The server and the issuer are the same and have the same lifetime. If you renew the certificate the issuer certificate (even if it is not a real issuer) will be new as well and the clients don’t have that in their certificate store. So they will not trust that certificate.

You have to distinguish between the inbuilt CA of the App Server (or Primary Server) and the services (IPO, …) running on that server.

Other than 96xx series that would load new CA certificate during a reboot, J series phones only load new CA certificates if you reset them. Very annoying in my opinion.

I understand that this can be confusing, but I decided to work with that and got a good expertise in that topic, especially necessary as I so much remote worker stuff (mostly with ASBCE) where you want encrypted connections and therefore need certificates.