I have an IPO server edition 11.4.3 that we need to enable TLS and load a Third party certificate On the server and NO SBC involved for IX workplace .The customer have hundreds of J100 series phones on the internal network .What is the best approach with the minimum need to touch each individual set in order for the phones to get the new Third party certificate after enabling TLS on the system .I think if I added 46xxspecials.txt file with new certificate info and just reboot the phones that will force the phones to get the new certificate.Any suggestions or idea .I'm open for anything .Thanks
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
TLS with J100 phones
- Thread starter techman63
- Start date
In theory:
Variant 1: Prerequisite - IPO is HTTP server and 46xxsettings.txt is generated automatically
[ul]
[li]extend the 46xxspecials with a second RootCA (names of the certificates comma separated: TRUSTCERTS WebRootCA.pem,NameNewRootCA.pem)[/li]
[li]place the new RootCA (NameNewRootCA.pem) in the primary folder of the IPO, so phone can be load it[/li]
[li]reboot the J100 devices -> the phones should now have both RootCA certificates in their own Trust Store[/li]
[li]exchange the ID certificate at the IPO (best with a PKCS#12 file)(check the box "offer certificate chain", because with public CA´s usually an intermediate certificate is used // alternatively the intermediate certificate can be loaded into the phone via TRUSTCERTS)[/li]
[li]Reboot the phones to rebuild the TLS channel[/li]
[li]If everything works, delete the 46xxspecials and reboot the phones again (the new RootCA should now be loaded via TRUSTCERTS WebRootCA.pem) Serves to "clean up" and thus simplify the later service in general[/li]
[/ul]
Variant 2: same prerequisite as for V1
[ul]
[li]disable all TLS settings in the IPO[/li]
[li]reboot the phones and check in the monitor that the TCP connection (and not the TLS) is in use[/li]
[li]exchange the ID certificate at the IPO (preferably with a PKCS#12 file, since the RootCA and the intermediate certificate are also written to the Trust Store of the IPO and are thus made accessible to the phones via TRUSTCERTS WebRootCA.pem)[/li]
[li]reboot the phones so that the new RootCA certificate can be loaded (check with the IPO Monitor or Wireshark that this is happening)[/li]
[li]reactivate all TLS settings in the IPO[/li]
[/ul]
In practice - see what happens and report here
Obviously it is of eminent relevance, that I this, what you celeprate, not optimally effective assume, since the integrate of you in the communicative system as code related terms with me no explosive associations in mental-empirical reproduction process of the mind.
Variant 1: Prerequisite - IPO is HTTP server and 46xxsettings.txt is generated automatically
[ul]
[li]extend the 46xxspecials with a second RootCA (names of the certificates comma separated: TRUSTCERTS WebRootCA.pem,NameNewRootCA.pem)[/li]
[li]place the new RootCA (NameNewRootCA.pem) in the primary folder of the IPO, so phone can be load it[/li]
[li]reboot the J100 devices -> the phones should now have both RootCA certificates in their own Trust Store[/li]
[li]exchange the ID certificate at the IPO (best with a PKCS#12 file)(check the box "offer certificate chain", because with public CA´s usually an intermediate certificate is used // alternatively the intermediate certificate can be loaded into the phone via TRUSTCERTS)[/li]
[li]Reboot the phones to rebuild the TLS channel[/li]
[li]If everything works, delete the 46xxspecials and reboot the phones again (the new RootCA should now be loaded via TRUSTCERTS WebRootCA.pem) Serves to "clean up" and thus simplify the later service in general[/li]
[/ul]
Variant 2: same prerequisite as for V1
[ul]
[li]disable all TLS settings in the IPO[/li]
[li]reboot the phones and check in the monitor that the TCP connection (and not the TLS) is in use[/li]
[li]exchange the ID certificate at the IPO (preferably with a PKCS#12 file, since the RootCA and the intermediate certificate are also written to the Trust Store of the IPO and are thus made accessible to the phones via TRUSTCERTS WebRootCA.pem)[/li]
[li]reboot the phones so that the new RootCA certificate can be loaded (check with the IPO Monitor or Wireshark that this is happening)[/li]
[li]reactivate all TLS settings in the IPO[/li]
[/ul]
In practice - see what happens and report here
Obviously it is of eminent relevance, that I this, what you celeprate, not optimally effective assume, since the integrate of you in the communicative system as code related terms with me no explosive associations in mental-empirical reproduction process of the mind.
Nee aware... I recognized that the phones don't seem to load the 46xxsettings.txt always during reboot.
IP Office remote service
IP Office certificate check
CLI based call blocking
SCN fallback over PSTN
IP Office remote service
IP Office certificate check
CLI based call blocking
SCN fallback over PSTN
- Status
Similar threads
- Locked
- Question
- Question
