Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

TLS certs with IX Workplace on iPhone

Status
Not open for further replies.

JazzWizzard

Technical User
Oct 28, 2019
67
CA
Hi everyone,

I'm encountering some issues with IX Workplace on iPhone and Mac OS saying the certificate is invalid. Our IPO server is at the latest version (11.0.4.2). There's no issue with the Windows client of IX Workplace.

Here's how I configured the identity certificate:

Subject Name: IPOSRV1
Subject Alternative Name: DNS:exmaple.com, DNS:IPOSRV1.example.com, IP:10.10.11.10, IP:192.168.43.1
Duration: 825 days (the issue with duration was corrected in the latest SP and the cert has been renewd).

Now here's the problem I'm getting in configuring this: Avaya's documentation is, well, a bit frustrating to deal with. In their IPO Platform 11 documentation, there's a chapter on TLS certificate and there's this section:

cert_doc_IPO_nuo2pc.jpg


Notice how the Subject Name and SAN in their screenshot doesn't match the explanation in the paragraph below.

Further, Avaya produced a doc about the issue with TLS on iOS and the screenshot they provided in their example is, again, different:

cert_doc_IPO2_arnde1.jpg


They put the IPO's FQDN in the Subject Name and SAN. Is this the way to go?? How do you properly configure the identity certificate? I'm also using the 46XXSPECIALS.txt file with TLSSRVID 0 in it.

Very confusing. 😠
 
How is the SIP domain configured in IPO?

IX Workplace doesn't load the 46xxspecials.txt

I suppose you loaded the cert into iPhone/MAC but didn't set it as trustful.

Have a look into this post for the iPhone screenshots: [URL unfurl="true"]https://blog.fwilke.com/create-certificates-for-iphone-with-ip-office/[/url]

IP Office remote service
Fixed price SIP trunk configuration
CLI based call blocking
SCN fallback over PSTN
 
@derflow: the SIP domain is configured as example.com in IPO. SIP FQDN is configured as IPOSRV1.example.com

The cert has been loaded into the iPhone and Mac OS and are set as truted.

I'll regenerate the cert with 800 days to see what happen, but it's supposed to be fixed in the latest release...

As for how my identity cert is configured (SAN, etc..) do you think it's configured properly?
 
derfloh: we already manually import the root CA cert into iOS. There's no need (unless I'm mistaken) for IX Workplace to download the WebRootCA.pem file.

I ran some tests and with these settings I got it to work on iPhone and Mac:

Subject Name: IPOSRV1
Subject Alternative Name: DNS:example.com, DNS:IPOSRV1.example.com, IP:10.10.11.10, URI:sip:example.com, URI:sip:10.10.11.10
Duration: 820 days
 
I stand corrected.

Right now, IX is working on the iPhone, so I'm assuming it downloaded WebRootCA.pem file successfully. Issue was the identity certificate from what I see.
 
Hi Guys,

I faced same issue and try to apply above solution but still same error appeared, I'm using IPO SE R11 and IX-workplace client 3.8 on IOS. Please your help
 
@derfloh

Thanks for your reply, I have Root CA and I install it on IOS but I dont have intermediate CA! How can I get it

Also is this procedure can solve the issue on IOP 500V2 or it working with SE only?
 
Either... Or... It all depends on who generates the certificate of the IPO.

If it is a single CA you have to check and ensure that this CA certificate is delivered as WebRootCA.pem. You can just download that file and open it with a Windows PC to check if it's the correct one. IPO autogenerates this file but sometimes uses the wrong CA certificate. Then you have to upload your CA certificate as WebRootCA.pem.

If you have multiple chained CAs you have to merge all CA certificates into a single WebRootCA.pem file.

IP Office remote service
Fixed price SIP trunk configuration
CLI based call blocking
SCN fallback over PSTN
 
@derfloh

The certificate parameter in settings file is "SET TRUSTCERTS WebRootCA.pem" which means the correct certificate will be downloaded to the Phone, But the same error still appeared. How can I download the "WebRootCA.pem" from IPO to my laptop to check it?
 
Mohamed,

Are you using the IPO as a certificate authority?

If so, don't forget to generate its identity certificate from server manager on port 7071. I set mine to something like this (obviously change the parameters to fit your setup):

Subject Name: IPOSRV1.example.com (in my case, IPOSRV1 is the server's hostname)
Subject Alternative Name: DNS:example.com, DNS:IPOSRV1.example.com, IP:10.10.11.10, URI:sip:example.com

Also, make sur to download the server's root CA, rename it WebRootCA.pem and place it at the root of the server's file system.
 
@JazzWizzard

Thanks a lot for your reply, actually Issue solved after download the WebRootCA.pem and change its extension to WebRootCA,crt then upload it to my smartphone and install it manually.

Do you mean I have to put the WebRootCA in "SD card or Disk>system>primary>certificate>add" then the smartphone will download it directly?

 
The process is the following:
- iPhone loads the settings file For this download it's necessary to trust the issuing CA. In your case the IPO offers the root CA certificate as WebRootCA.pem. So through downloading and applying it to the iPhone solved the issue with downloading the settings file.
- the settings file sets the WebRootCA.pem as trusted root CA certificate and the IX Workplace app loads and uses it internally. From that point only the WebRootCA.pem (as linked within the settings file) is used to identify the trustfulnes of the server certificate issuer. The iPhone certificate is not used anymore!
- The app will now connect securely with IPO using SIP/TLS and HTTPS.

I hope this clarifies the process a little bit and why it is necessary to load the root certificate into iPhone's certificate store AND to ensure that it is available as WebRootCA.pem.

IP Office remote service
Fixed price SIP trunk configuration
CLI based call blocking
SCN fallback over PSTN
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top