IP Office Server as certificate authority

[JazzWizzard]

Hello everyone,

We have a client that wants to have 3rd party SSL for ease of deployment of IX Workplace (instead of loading the IPO's root CA on their PCs).

Reading Avaya's knowledge base on Implementing IP Office PKI: they talk about having the an external root CA and intermediate CA loaded into the Primary linux server so it can then generate identity certs for the rest of the servers and expansion system in the solution. Since the root CA and intermediate CA are from external authority (ex DigiCert), the identity certificate generated from the Primary Server will be trusted by IX other devices.

The relevant link to the KB is here:

https://ipofficekb.avaya.com/busine...jects/security/implementing_ip_office_pki.htm

What I'm looking at is approach 2: PKI Trust Domain based on Primary or Linux Application Server Intermediate CA

Has anybody implemeted something like that?

 

[Travis Harper]

Is this what your looking for?

https://www.ipofficeassistance.com/create-3rd-party-certificate/

or

https://letssupportnow.co.uk/2018/0...rtificates-to-an-ip-office-or-server-edition/

 

[Albus2]

A public certificate is in no way more secure than the selfsign certificate from a Server Edition.
I's just easier to use for clients because they already have the Root-CA certificate in the browser or device.
But, in case of Avaya Workplace, this is not needed! Unlike Communicator and older clients, Workplace will read the 46xxsettings file and download the WebRootCA.pem from the IPO and stores it in the client.
You only need to install the root certificate manualy on a PC running Manager or from where Webclient is used. If this is true for a larger number of PC's, your Admin can deploy it with GPO.

It is much less work, and you can do it all without help of other people and resources. Also, remember you need to recreate all identyty certificates every two years.
Not the Root-CA, but the Identity Certificates.