Recently Avaya informed about the stronger certificate rules in upcoming mobile operating systems iOS 13 and Android Q as well as on MacOS 10.15 through this PSN: https://downloads.avaya.com/css/P8/documents/101058839. Avaya announced that those stronger rules may affect the commonly used Avaya apps on smartphones and tablets as well as on MAC PCs.
A valid certificate must match the following criteria:
- SHA1 and SHA2-CBC signature algorithms are no longer supported for server certificates and issuer certificates
- Server certificates and CA certificates must use a key length of at least 2048 bits
- Server certificates must contain the server‘s DNS name as subject alternative name (SAN). The presence of the DNS name only as common name (CN) is not acceptable
- If issued after July 1, 2019: Certificates must contain extended key usage (EKU) extension containing the id-kp-serverAuth OID (1.3.6.1.5.5.7.3.1)
- If issued after July 1, 2019: The maximum certificate validity period must not exceed 825 days. With the commonly used period of two years (or sometimes two years and three months) you will be fine.
The self signed certificate that is created by an IP Office appliance follows all the rules as long as it is created before July 1, 2019. For new installations starting July 1 those certificates will not work anymore with the newer OSes. The default validity period is seven years and EKUs are not present.
If you use certificates issued by a public available certificate authority like GoDaddy, Commodo or others most criteria should be met. Nevertheless you should check that. Especially the need to have the DNS name defined as subject alternative name (SAN) can be an issue.
Even if it had been the recommendation to the use certificates issued by a certificate authority it was mostly easier to just use the certificates created by IP Office itself. Fortunately Avaya implemented a certificate authority in their servers (Server Edition, Application Sever, UC-Module). With that CA you can create certificates for every machine you need a certificate for. Even if your customer has no own CA and no Avaya server, you can install one as a virtual machine on your laptop. You can then create valid certificates as long as the end users trust your CA.
I am still in the progress to create a video tutorial how to use IP Office Application Server on your Laptop to create the certificates you need.
If you want to get informed, when the course is available, subscribe to my newsletter.
Pingback: Neue Zertifikatsrichtline betrifft auch IP Office Apps - Blog: Florian Wilke
Pingback: Create certificates for iPhone with IP Office - Blog: Florian Wilke