Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Which CA to use for Server Edition Certificate

Status
Not open for further replies.

PhonesTech

Technical User
Nov 19, 2014
61
CA
Hi Everyone, We're implementing Avaya IP office Server Edition with Avaya Workplace applications. We've used self signed certificates for a long time.
I'm new to CA certificates, but from the online reading it seems we can't get a certficate with IP addresses. Just wanted to see is there any CA that meets Avaya's requirement or do we have to use self signed certificates? We wanted one with Multiple SAN Entries:
DNS Name: voip2.domain.com
DNS Name: voip1.domain.com
DNS Name: Domain.com
IP: x.x.x.x
IP: y.y.y.y
URI:SIP: domain.com
 
The IP Office self-signed certs are fine if all your servers and clients are internal.

Avoid Entrust - they are in deep doo-doo with Google at the moment (under threat of being blocked).

Pretty well any external CA will work. If you intending to support VoIP softphones, certs from big players like DigiCert are best as they are already have pre-installed certs in the Android, Apple, Windows OS's that make them trusted.

But yes, most certificate providers shun the use of IP addresses, and that means full FQDN/DNS routing to your IP Office is a must.

Stuck in a never ending cycle of file copying.
 
Since you are using Avaya Workplace you have 2 choices:
1. Buy a cert from a public CA
2. Add your root CA from your SE install to the devices.

If you can easily manage the CAs on your devices, use the private CA on your SE, IMHO.

I did a certificate from GoGetSSL.com, and they let me add an IP for the SAN (I use FQDN, but I like having both as it helps with deskphones). It works for Avaya Workplace on our IOS devices.

I'm guessing you already know you can NOT use a wildcard cert.
 
It is possible to get wildcard certs to work. But it won't be supported. If you do a search on SIP RFCs and wildcard certificates, you'll find that its not just the IP Office team that don't like them. And recent domain security enhancements are increasing that dislike.

Stuck in a never ending cycle of file copying.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top