The last days we got many warning messages when connecting to IP Office IP500 systems that the server certificate will expire at the end of this year.
But why do we get a real bunch of those messages this time?
The reason is that after powering up a new chassis the self signed certificate is created. As soon as the IP Office doesn’t find a time server it will set it’s clock to 2010/01/01 00:00. This time is the creation time of the new certificate. A certificate that is self signed by IP Office is valid for seven years so that it will expire at 2017/12/31 23:59.
There are a few ways how to handle this situation.
You can create a new certificate with an IPO Application Server or Server Edition Server with the needed parameters (common name, subject alternative names) and import it into IP Office. You have to ensure that computers, phones, applications trust the root certificate authority (root CA) that issued the certificate to avoid warnings.
You can create a new certificate with an existing enterprise CA that often is running within an ActiveDirectory. You have to ensure the same as before. Usually the computers will trust that certificate but you have to apply the root certificate to phones and applications where needed.
You can issue a certificate with a valid common name and hopefully the needed subject alternative names by a trustful third party CA like VeriSign or others.
You can delete the self signed certificate as described before after powering up the system the first time to have seven more years.
A short post this time with some hopefully useful informations. Especially if you want to use encrypted communication in any way it is always recommended to create ‘real’ certificates from a trustful certificate authority.
Update 2017/08/03
Avaya now published an official statement about this issue under the following link: PSN005042u
If you need further help with IP Office you can contact me through my main website: https://www.fwilke.com/home
Do you want to get information about new posts? Subscribe to my Newsletter
Pingback: IP Office certificate expired - Blog: Florian Wilke