Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Remote J100's - New/Renew TLS Certificates 3

Status
Not open for further replies.

dsm600rr

IS-IT--Management
Nov 17, 2015
1,444
US
Hello all,

I have clients running IPO Server Edition in the Cloud on a hosted VM.

We have quite a few moving over to TLS to utilize the IX Workplace / Remote J100's.

On Existing Systems, In which I enable TLS and the IPO Reboots, the phones will log back in, however under TCP.

In order to get the remote phones to grab the TLS Certificate, and register as TLS, I need to clear the phones. Locally, I was able to re-boot the phones, and they would grab the certificate and register as TLS (on the same network as the IPO) however most of our IPO's are Hosted SE.

Is the only way to get existing phones to register as TLS and grab the new certificate, to clear them?

What about when the certificate expires in a year and needs to be renewed? Is there a way to do this without manually clearing the phones, again?

We are using NoIP / DigiCert for our CA.

Thank you!



ACSS / ACIS
 
Hi DSM600RR, were you able to get an answer to this inquiry? I'm running into the same thing with remote phones. Do we need to reset the phones everytime certificate is regenerated or is there any other process we can follow?
 
From personal experience, if the certificate is renewed before it expires then the phones will pick it up with no issues.

If the certificate expires before you renew it, then the phones will get a certificate error before connecting to the system and will not be able to get the new certificate. In this case the phones will need defaulting to clear out the old expired certificate.

One other point, this will also apply if any of the CA certificates expire too!

“Some humans would do anything to see if it was possible to do it.
If you put a large switch in some cave somewhere, with a sign on it saying 'End-of-the-World Switch. PLEASE DO NOT TOUCH'.
The paint wouldn't even have time to dry.”

Terry Pratchet
 
Ekster: Fingers crossed, we will report back in about 10 months :D

ACSS / ACIS
 
To add to Ekster's post...

If you renew the certificate using the same certificate authority (CA) than the one used for the old certificate, then the phone will continue to trust. If it is a new CA then the phones will have to load the new CA cert. In my experience this need the phones to be cleared.

IP Office remote service
IP Office certificate check
CLI based call blocking
SCN fallback over PSTN
 
To add to this tread, I did contact no-ip/digicert, does this sound correct?

My email:

"We have your SSL Certificates that we are using for TLS on remote Avaya Phones. These certificates expire in one year, so my question is, how do we re-issue the certificate for another year, once we are approaching the expatriation of the original certificate?
For Example, on our test system "fqdn.com" - We created the certificate this month, June 2024 and its set to expire June 2025. So say in June, 2025 what would be the process to re-issue this certificate for June, 2026 Expiration?
Under the "Certificate Actions" I do see an option to "Reissue" - would this be the correct spot to re-generate this certificate for a new June 2026 expiration? I haven't played around with this yet, as I wanted to reach out and confirm first."


Their Response:

"Thank you for contacting No-IP support. My name is Jose, and I will be happy to assist you. The renewal process for the No-IP Vital Encrypt DV is the same as beginning the process for a new SSL certificate. When the SSL certificate is within 14 days of expiration you will have the option to submit a new CSR which will begin the validation process again. The "Reissue" option just allows you to submit a new CSR for the existing SSL certificate."

So it looks like 14 days before the certificate is set to expire, I can submit a new CSR (like I did for the original certificate), load the new certificate and do everything else the same as the original process and hope the phones grab the new certificate? Will a reboot be needed for the phone to reach out and grab the new certificate (WebRootCA.pem)? Reboot would not be ideal however much better option than clearing them all again.



ACSS / ACIS
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top