security certificate will expire in xxx days 11

[joe2938]

I have researched this and have fixed the certificate warning but when it tells you the system will be unresponsive for 5 minutes is this only for administrating the system only? or does it affect the end users being able to make calls etc... I have only done this remote so I have had zero complaints but want to be positive as I need to address our hospital customers, thanks in advance.

 

[biv343]

The system still functions, but I did notice dialtone was a bit delayed when I tried it on my lab system as it burns a lot of CPU time to generate the new certificate. I do that work during a scheduled maintenance window for a hospital or other 24x7 operation, or after hours for other customers.

 

[joe2938]

Thanks for the update, most appreciated. Will schedule for after hours or best possible time in this case.

 

[hibroth]

I had it twice a few days ago, in both cases the message was "expiring in 179 days", I unchecked "secure communications" under manager preferences

 

[joe2938]

@hibroth and that worked as well?

 

[hibroth]

Yes @yoe2938, no strange behaviours, both IP500 no SE

 

[critchey]

Yes turning off secure communications will also remove the warning because you are no longer getting the certificate so manager can't see the certificate will expire. I have had a lot of calls about this recently it seems everyone got it at once so my guess is everyone's ends the same day (last day of the year). Simple to re-generate the certificate but some people want the easy button so turning off secure communications is the easy button.

The truth is just an excuse for lack of imagination.

 

[telecomtekperson]

This warning has been reported by many partners, globally.

 

[gntsfan8690]

I've been seeing this myself all over the place with customers of varying software releases, some with Server Edition and others are just 500v2's. I've seen two methods to remedy this, both came from Avaya. In one place, it was regenerate the cert, which I did on a brand new, out of the box system I started programming the other day. It had a mix of digital and analog expansion modules patched into the 500v2, and I lost the connection via SSA for maybe a minute or less. When the connection came back, I noticed I had a list of link alarms for the 6 expansions, but no indication of a reboot.

The other one I've seen is delete the cert and I guess it will generate a new one. I've not gone this route.

Anyone have suggestions on which would method be the better?

 

[joe2938]

I just regenerated the certificate and it worked great!

 

[derfloh]

I got an information why this warning comes up for so many systems at the same time.

Every fresh installed IP500 that is started the first time and is not able to get the correct time and date from a time server will set its time to 2010/01/01 00:00 and creates a self signed certificate that is valid for seven years. So all those certificates will have the same end date set to 2017/12/31 23:59

That's why we get all those warnings now.

You should regenerate the certificate in any case because not only the manager login users that certificate but also 1XP and other services as well as SCN and phones that connect via TLS.

The recommendation is to create a valid cert through an AppServer or Server Edition Server or from another CA.

If such a certificate is not needed I would recommend to recreate the IPO cert during initial setup as soon as the box has a valid time set.

 

[hibroth]

But if you don't use TLS apps or TLS SCN connections the certificate is not necessary, IPO500 first setup does not require any

 

[sizbut]

Its easy enough to have the IP Office generate a new self-signed certificate if that is the one you are using. Log into security settings and under System | Certificates click Regenerate, click OK and then click the save icon (the new certificate generation doesn't actually start when you click the Regenerate button). All over in a few minutes.

Stuck in a never ending cycle of file copying.

 

[joe2938]

I just had a customer reach out to us that has an IP Office 500v2 but it does not give him the option to regenerate, so I told him to delete it and reboot and IP Office will then regenerate the certificate.

 

[derfloh]

Delete is enough. When you save the security settings it will generate a new one.

 

[joe2938]

Thanks good to know as rebooting at a hospital is not an option

 

[holdmusic34]

Great thread.

The rain in Spain falls mainly on the northern mountains.

 

[joe2938]

just as an fyi, unticking secure communications does get rid of the error message however then manager will take a good minute for the config to open so you may not want to go that route

 

[Telecomboy]

Yes. Unchecking secure communication causes it to take a long time to load a config. I wouldn't opt for that option.

 

[IamaSherpa]

Found this, on the support website:

https://support.avaya.com/ext/index?page=content&id=SOLN312079&group=UG_ENTITLED_CUSTOMER