ASBCE and IPO Certificates 1

[dsm600rr]

Hello all,

I am having a bit of an issue with Certificates apparently between my IPO: 192.168.1.251 and my ASBCE: 192.168.1.254

I am not sure what Certificate to load into the IPO as it was not mentioned in the document I am following "IP Office SIP Phones with ASBCE"

I loaded this certificate into the IPO:

These are the certificates on my ASBCE

I am getting a "Fatal Error on Connection" between the the IPO and ASBCE - Thoughts?

ACSS

 

[dsm600rr]

More errors from the SBCE

ACSS

 

[G van Hamburg]

Where did you get the certificate from? You can use the IPO to create an Identity Certificate for the SBCE inside (A-interface) and if you want, also for the outside.(B-interface)

Personally, I use keystore explorer to extract the private key and cert from the P12.

Freelance Certified Avaya Aura Engineer

 

[dsm600rr]

G van Hamburg: My setup is an IPO with an Application Server Running VM Pro.

Below is how I created the certificates:

IPO Root Certificate:

IP Office identity certificate:

SANs:
DNS:FQDN
DNS:Our_Domain
IP:192.168.1.251(IPO)
IP:192.168.1.254(ASBCE_Internal)
IP:ASBCE_External
URI:sip:FQDN
URI:sip:Our_Domain
URI:sip:192.168.1.251(IPO)
URI:sip:192.168.1.254(ASBCE_Internal)
URI:sip:ASBCE_External

Identity certificate for the ASBCE:

SANs:
DNS:FQDN
DNS:Our_Domain
IP: ASBCE_External
IP:192.168.1.251 (IPO)



Extracting the ASBCE private key and identity certificate:

ACSS

 

[G van Hamburg]

First of all,

I have no idea why the external SBCE IP and DNS names should be in the IPO identity certificate. An identity certificate represents the identity of the host, nothing more.

My IPO identity certificate has the following:

IP: 192.168.42.1
DNS: ipo.mydomain.com (registrar)
DNS: mydomain.com (sip domain)
URI: sip:ipo.mydomain.com
URI: sip:mydomain.com

I am not sure if 1 of the URI’s could be removed but this is enough to make IX Workplace and SIP phones work both internal and external via SBCE. For other applications, you might need more.

On my server editiion, I create the IPO identity certificate directly. I do not mark ‘Create certificate for different machine’. So after applying the IPO certificate will be renewed automatically.

My A1 SBCE certificate is created by IPO and has noting in it. Of course now you create for a different machine. Machine IP = your A1 and the subject name is in my case sbce-int.mydomain.com. That’s it!

My B1 SBCE certificate is bought from Sectigo and (I have tested and use it in production)contains 2 DNS names.

DNS: ipo.mydomain.com (SIP registrar and One-X portal name)
DNS: mydomain.com (SIP domain)

Please let me know if you follow me sofar, ok? Need to go now.

Freelance Certified Avaya Aura Engineer

 

[dsm600rr]

Hi G van Hamburg,

Thank you. I want to make sure I have this correct.

IPO identity certificate:

SAN's:
DNS:FQDN
DNS:Our Domain
URI:sip:FQDN
URI:sip:Our Domain


Identity certificates for the ASBCE (A1)

What Do you name this one? The Avaya Document only outlines creating one Identity Certificate for the ASCBCE which is renamed SBCE_ID.p12 and then Extracting the ASBCE private key and identity certificate. Does that process apply to this certificate?

Identity certificates for the ASBCE (B1)

What Do you name this one? The Avaya Document only outlines creating one Identity Certificate for the ASCBCE which is renamed SBCE_ID.p12 and then Extracting the ASBCE private key and identity certificate. Does that process apply to this certificate?

SAN's:
DNS:FQDN
DNS:Our Domain

ACSS

 

[G van Hamburg]

Just search me on Linkedin and email me, ok? If you want I will show you my Lab IPO. I can tell you in 10 minutes what will take me an hour to type.

Freelance Certified Avaya Aura Engineer

 

[G van Hamburg]

By the way, your pictures of the A1 and B1 look fine!

The picture of the IPO, do you have a server edition? Because you do not need to check the box “Create for a different machine”. Because the CA is the IPO and renewing the identity cert wil be enough. Otherwise you will download the cert and you have to install it on the IPO again.

O, and when the IPO certificate is renewed, remove the old certificate from your pc. You might have problems connection to 7070 and 7071 but that’s beacuse you trust an old certificate.

Freelance Certified Avaya Aura Engineer

 

[dsm600rr]

G van Hamburg: I have an IPO with a VM Pro Application Server, that's why I have it for a different machine. Thank you for pointing that out though.

With the A1 and B1 Certificates, do I need to extract the ASBCE private key and identity certificate like outlined in the Avaya Document? Or do I just load them straight into the ASBCE as is? I named them ASBCE_A1.p12 and ASBCE_B1.p12



ACSS

 

[G van Hamburg]

No, You can’t load the P12. You indeed need to extract the certificate and the private key. Make sure you name the certificate and key the same. so ipo-cert.cer and ipo-cert.key



Freelance Certified Avaya Aura Engineer

 

[dsm600rr]

G van Hamburg: Do I extract both the A1 and B1 Certificates?

Should I Name them something like:
SBCE_ID_A1.p12
SBCE_ID_B1.p12

And then extract both with the method above and load all 4 to the ASBCE?:
SBCE_ID_A1.cer
SBCE_ID_A1.key

SBCE_ID_B1.cer
SBCE_ID_B1.key

Or am I way off here?

ACSS

 

[G van Hamburg]

No, you are correct! That is the way to go!

You could combine A1 and B1 into 1 certificate but I always advice 1 certificate per interface or service.

Also take a look at the free windows tool Key Store Explorer. I think that’s much easier to use then open SSL.

Freelance Certified Avaya Aura Engineer

 

[dsm600rr]

G van Hamburg: Added you on LinkedIn.

When I run the process to extract: SBCE_ID_A1.cer and SBCE_ID_B1.cer do I also delete everything from the certificate, only keeping the text from the first:

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

ACSS

 

[G van Hamburg]

That’s the reason I use Key Store Explorer. You can click on the p12, see the cert and only extract that. And yes, at that time you only have the cert.

Freelance Certified Avaya Aura Engineer