Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cannot install p12 device certificate on 1120e 1

Status
Not open for further replies.
noreth

noreth

Technical User
Oct 19, 2020
11
0
0
CA
Hello all,

I am trying to install a device cert on 1120e sets using [DEV_CERT} section in the config file. When rebooted, the phone asks for a password for the p12 file, however, in the debug shell I get:

PKI_X509_LoadData: No key usage found
PKI_PKCS12_FindDeviceCert: Certificate is expired (-8)
PKI_PKCS12_ExtractDeviceCert: Unable to find device cert from PKCS12 file (-8)

The p12 is fine. The certificate is there, it is not expired and has key usage info. One thing I noticed in the log files is they are all marked from 2002, so I think there might be an an issue with the time being out of sync and it thinking that the cert isn't yet valid. Is there a way to set a NTP server or something? The set gets its time correctly from the BCM once it's finished starting up.

Much thanks for any help!
 
Sort by date Sort by votes
Unistim Release 5.5.10 0624c98
 
Upvote 0 Downvote
I had fun uploading *C98 but Avaya have recently released *C99. I couldn't get it to load. Perhaps you can try it?.

Firebird Scrambler

Nortel & Avaya Meridian 1 / Succession & BCM / Norstar Programmer

Website = linkedin
 
Upvote 0 Downvote
I didn't know C99 was released, just got it uploaded and it works fine. It did not solve the cert issue. However, I did get it fixed. I have no idea if it was just multiple reboots that did it, but I changed the subnet of the sets temporarily to the one the TFTP server is on, and then it worked. I have no idea why that would solve it since it was already reading other config files just fine, but anyways, that appears to have done it.

Thanks for your help Firebird!
 
Upvote 0 Downvote
Excellent news Noreth.

Just a daft question, but what method did you use to update the firmware as I tried using a TFTP Server and also after putting the file directly into the BCM's folder.

I was trying to update my 1140e phone. I eventually managed to get the *C98 to load in OK after I had reverted the firmware back to *C84 (I think?).

Any help would be appreciated please?. I can send the other *C99 files if you want them.

The 0625C99.bin is attached.

Firebird Scrambler

Nortel & Avaya Meridian 1 / Succession & BCM / Norstar Programmer

Website = linkedin
 
Upvote 0 Downvote
I just used TFTP and it worked without any issues. Unfortunately, I don't have access to a 1140e to test 25C99 with, so I don't know if I can help much. Have you tried setting download to FORCED rather than AUTO in the 1140e.cfg file?
 
Upvote 0 Downvote
It's odd as I still get the "[FW] Auth. Fail" message appear after the firmware has been sent to the phone via TFTP. The 1140e phone then boots back to it's original firmware of 0625C98.bin



Firebird Scrambler

Nortel & Avaya Meridian 1 / Succession & BCM / Norstar Programmer

Website = linkedin
 
Upvote 0 Downvote
noreth, you did not mention what model and release BCM you are on.

Try first downgrading to one below 0625C98

I can confirm I get the same Auth Fail message on my test set - Avaya 1140e with 025C94 which is the last supported firmware for BCM.
I am on BCM50 Release 6 with the last supported patches - Desktop 005 and System 022.
I tried both tftp server and uploading to the BCM with same error.





________________________________________
small-logo-sig.png


=----(((((((((()----=
Toronto, Canada

Add me to LinkedIN
 
Upvote 0 Downvote
I have a BCM 450 Release 6. I have never looked into the patches, I just could find that it has version 12-2 for core-telephony and version 003.201101-2 for the "SU.system".

I upgraded from C98 to C99 without any issues. Perhaps it's just an issue with the 1140e?
 
Upvote 0 Downvote
Could be, or a certain release of it...my 1140e is Avaya branded NTYS0FBFE6
Let us know which one you have.

As for patches for the 450 R6 my notes show these are the last ones generated:

BCM450.R600.SU.System-022
BCM450.R600.SU.Desktop-005
BCM450.R600.UTPS-138-1
BCM450.R600.R600.FPGA-78

Example of out of date...
Your Core 12-2 is now at 128 (13th release), all of them are inside the BCM450.R600.SU.System-022 patch.

________________________________________
small-logo-sig.png


=----(((((((((()----=
Toronto, Canada

Add me to LinkedIN
 
Upvote 0 Downvote
My 1120e is NTYS03BEE6

I haven't updated my BCM with the latest updates since I'm not authorized with Avaya to download the patches [sad]. Only the phone firmware is available to the public sadly.

I will have a 1140e in a couple weeks so I will let you know if my luck varies with the firmware.
 
Upvote 0 Downvote
I've spent way too much time troubleshooting this phone…

I first experienced the same problems that you both did. I upgraded from C93 to C98 with no problem. I originally tried to upgrade from C93 to C99 but I got auth failed. Same result when trying to do C98 to C99.

However, I was finally able to get to C99 by going from C93 to C98 to C99 successively. Each time it started writing the firmware, I changed the cfg file firmware on my tftp server to C98 and then C99, so the phone did not ever fully booted until C99 had finished downloading.

Here is the debug output when it downloaded C99:

Checking CFG file authentication
Automatic authentication failed -4
Security policy action for base file = 2
================== Checking Security finished: SECURITY_SUCCESS_NO_AUTH
1140e.cfg was authenticated successfully!
Downloaded NUM bytes= 259
----------------------------------------
[FW]
DOWNLOAD_MODE AUTO
VERSION 0625C99
FILENAME 0625C99.bin
PROTOCOL TFTP
SERVER_IP 10.0.1.9
============= end Section Tree =============
callbackFunction START_EXECCFG
procSectionsTree::======== start executing of the [FW] section =====
cmpVersions(): AUTO
cmpVerFW():: Curr=0625C98, New=0625C99
cmpVerFW()::Download New
manCode is 0x00c2
newFWver is C99
callbackFunction Section: [FW], filename: 0625C99.bin
UI portion of FW download, status : 4
PrepareDownloadBuffer: using existing buffer (size=28019kb, needed=4608kb)
procCurrentFileForSection: 28692464 bytes have been allocated for firmware downloading, buffer address = 82044BD0
callbackFunction UNKNOWN
resolveServerName:: do nothing for [10.0.1.9]
Bytes: 3766760
Total 3766760 bytes have been downloaded from TFTP server.


!!!! downloadFile::Downloaded OK = 3766760 bytes
##### Authenticating firmware using PKI signature with block ID 0x56215ca2... #####
[Avaya Inc.][Avaya File Signing Authority 2013]
Expires : SUN MAY 22 12:25:37 2023 - (Valid)
Serial : 0x65
********** Firmware file was authenticated successfully.
callbackFunction PROCESS_EXESEC
LED is set
Upgrade from new memory MM01 to new memory map MM01
cc5a367a cc5a367a
Message: Image has checked.
newFWver is C99
manCode is 0x00c2
Message: Write to address bfc20000
Message: Recheck checksum in flash.
Flash checksum OK.
6a9b225f 6a9b225f
Message: Image has checked.
newFWver is C99
manCode is 0x00c2

Notice there is no "SECURITY_MODE 0" in the cfg file and I found it kept throwing errors so I just ended up removing it.

My thinking is that it is an issue with authenticating the PKI as I noticed when I tried installing from C98 that it said the PKI was expired. This would also explain my issues downloading the p12 file.

I'm not sure when the firmware broke because I just chose C93 randomly, but there is an issue with the phone getting its time in sync with firmware C98 as I encountered the same issues trying to download the p12 file to the 1140e phone with C98 and was only able to download it with C93. Oddly enough, I was getting bad signature errors from my radius server with C93 that disappeared when I went back to C98 after the cert was downloaded.

Let me know if I missed any details or if you have any theories, but hope this works for you!
 
Upvote 0 Downvote
This really is interesting and a great thanks for confirming that there was an issue with the 1140e 0625C99.bin software when using it as it should have been.

I shall give this another go shortly. Thanks so much for taking the time to look into it. It is very much appreciated.
A star from me.

Firebird Scrambler

Nortel & Avaya Meridian 1 / Succession & BCM / Norstar Programmer

Website = linkedin
 
Upvote 0 Downvote
Hi everyone: Someone directed me to this thread from the UCx forum. I've got a bunch of 1140e's running on C8Q firmware from Nov. 2012. I've tried everything I can think of to upgrade the firmware, and I keep getting the Auth. Fail message. I tried going to C93, no luck. I tried a smaller jump to C8T, and no luck either. Has anyone been successful upgrading to the latest firmware? I'd be happy to have C98, but I can't get it to load no matter what I try. Thanks for any help or insights!

-Michael
 
Upvote 0 Downvote
The trick is to revert your software back to the Nortel release and then go to the *C98.bin version.
I used a TFTP server to do it.

My question is how do you update the certificate on the IP phone?. The reason I'm asking is that I've never done it before and I can't upgrade to *C99.bin.

Firebird Scrambler

Nortel & Avaya Meridian 1 / Succession & BCM / Norstar Programmer

Website = linkedin
 
Upvote 0 Downvote
Firebird Scrambler said:
My question is how do you update the certificate on the IP phone?. The reason I'm asking is that I've never done it before and I can't upgrade to *C99.bin.
Click to expand...

Is your set branded Nortel or Avaya? Mine is Avaya and the Avaya root CA does not expire until 2033. I assume yours is expired and that’s why you’re asking?
 
Upvote 0 Downvote
Now this is just a random thought..

Have you tried installing the SIP firmware and then going back to Unistim? Maybe going from SIP to unistim would change something.

I wonder because all my sets came with SIP firmware originally and I’ve been successful with installing C99.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

akak247
  • Question
RCC install on win 11- reporting for contact centre
Replies
2
Views
168
curlycord
curlycord
2dfx
  • Locked
  • Question
SIP Trunks on Digital Sets? 4
Replies
18
Views
169
curlycord
curlycord
gberger
  • Locked
  • Question
Unable to use BcmMonitor remotely on Bcm50R6
Replies
2
Views
56
gberger
gberger
Firebird Scrambler
  • Locked
  • Question
BCM 50 / 450 CDR live client query on port used? 1
Replies
3
Views
61
Firebird Scrambler
Firebird Scrambler
gberger
  • Locked
  • Question
Bcm50 R6 no ports left on a remote I2050
Replies
5
Views
82
gberger
gberger

Part and Inventory Search

Sponsor

Back
Top