Howto:Update innovaphone.com Wildcard-Certificate in a Device Trustlist

From innovaphone wiki
Jump to navigation Jump to search

Applies To

This information applies to

  • All innovaphone IP-Phones and -Gateways with 12r2, 13r1, 13r2, 13r3 firmware

More Information

Problem Details

On 15.01.2024 the current certificate *.innovaphone.com will expire. This is used in the PBX trust list to establish an encrypted connection between your PBX and the innovaphone push service. To ensure that Push also works for your customers after 15.01.2024, this must be added to the trust list of the respective PBX. After 15.01.2024 the old *.innovaphone.com certificate can be deleted. This certificate is currently only relevant for gateways on which Push is running. During the transition period up to and including 15.01.2024, both *.innovaphone.com certificates are required.

Additionally, every time an innovaphone devices is restarted the current *.innovaphone.com certificate generates a x509: A certificate has expired or will expire soon event.

Since we can update the Push-service certificate only on 15.01.2024 (otherwise existing devices without an updated certificate will stop working), it is important to keep until 15.01.2024 both certificates in the Trustlist of devices running a PBX with Push-functionality.

If you use the new 14r1 certificate trustlist concept you are not affected, and the certificate will be installed automatically.

Resolution

Here are three ways to replace the certificate on all innovaphone devices.

1. In the version 12r2sr65, 13r2Sr30 and 13r3Sr12 the certificate will be added automatically during the update. After 15.01.2024 the old certificate can be manually deleted. Also, current firmware includes a mechanism to prevent Certificate expiration events in case that a new certificate exists for the same CN. Finally, devices with 12r2sr65, 13r2Sr30 and 13r3Sr12 firmware will have after a factory reset only the new *.innovaphone.com certificate.

2. The certificate can be added manually on the PBX. It can be downloaded here and then be uploaded on the PBX under General/Certificates/Trust list. After 15.01.2024, the old certificate can be manually deleted.

3. The new certificate can be added, and the old certificate can be deleted via commands (which can be sent using an update server or the Expert configuration in 13r3 Devices). This needs a reboot of the device. Save the new certificate in the trust list:

    !vars create X509/TRUSTED pba 3082063d30820525a0030201020211008f6019717ee7577e0afec5f44e49d8de300d06092a864886f70d01010b050030818f310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f726431183016060355040a130f5365637469676f204c696d69746564313730350603550403132e5365637469676f2052534120446f6d61696e2056616c69646174696f6e2053656375726520536572766572204341301e170d3233313132393030303030305a170d3234313232393233353935395a301c311a301806035504030c112a2e696e6e6f766170686f6e652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d2be63142556c121a4ddc121b544ac063c5c6ac9d5a94468ff0b14d0c83618cb9a95409112daa62dc18053606eb9bc973cd1028383f09a67dca0fee9a9a8b897146ccfe55531a9999ba2ea1b473b2791f661bbbefd0eec14e541204d3fa932cea439ac32bbbb8b49efd815a6ed6af7614ddca01720bf44272842cf86062909d1d9be8b884a5a8930412ae71dbd5b28c06d0a4d82e59354c9a183029322e515b6c68a9158c996b61b224ab5c277ebffa7f027d7efb1484f452c94441cce6eed746b4ab9ff477cc45fddff100a5d652e2b675ab755e8c2e9d61542ba30caeb7962c6af5b1d74f3add0d8f7716675275028e2a966c1fc98e3190eac24f1c0e2ba6d0203010001a382030430820300301f0603551d230418301680148d8c5ec454ad8ae177e99bf99b05e1b8018d61e1301d0603551d0e0416041488f8ab525ac415080869d4802c69301c02f2711c300e0603551d0f0101ff0404030205a0300c0603551d130101ff04023000301d0603551d250416301406082b0601050507030106082b0601050507030230490603551d20044230403034060b2b06010401b231010202073025302306082b06010505070201161768747470733a2f2f7365637469676f2e636f6d2f4350533008060667810c01020130818406082b0601050507010104783076304f06082b060105050730028643687474703a2f2f6372742e7365637469676f2e636f6d2f5365637469676f525341446f6d61696e56616c69646174696f6e53656375726553657276657243412e637274302306082b060105050730018617687474703a2f2f6f6373702e7365637469676f2e636f6d302d0603551d110426302482112a2e696e6e6f766170686f6e652e636f6d820f696e6e6f766170686f6e652e636f6d3082017e060a2b06010401d6790204020482016e0482016a016800760076ff883f0ab6fb9551c261ccf587ba34b4a4cdbb29dc68420a9fe6674c5a3a740000018c1a8f6dc9000004030047304502207a7190a77e7a3aab5a4472a5d2c83dd0673488cd4c103985a84dae8448383d91022100f95d389e99f516e6c9320a87fdb3496910d8c430392459153515c4db98e886b50076003f174b4fd7224758941d651c84be0d12ed90377f1f856aebc1bf2885ecf8646e0000018c1a8f6df60000040300473045022021e05b0e5d47268d62aad878f303de581149daa557d0fc4647e4140eb51d9a98022100c760935eb4c420a090e5f495ccaa7acf0ef5170b8a85dac3d475f15c6e8c466f007600eecdd064d5db1acec55cb79db4cd13a23287467cbcecdec351485946711fb59b0000018c1a8f6df8000004030047304502210090e8364d361bf9d11c2d1505da6429ae0915d5bd4576f366ea8698fcd41d4332022044e35001cef19b5599a18adefb1870be0873c9087637bd1f3a707b2b21449e02300d06092a864886f70d01010b0500038201010062719ad3d28649310387ebd69a5062af5cdc7b58b3c9dc9489fb4d9bee003deb2bb9328c945e6ace50b1e57329622cf53fd3a177016a03e8b610c291d4e464363cd6c94b5c7c0fe5e48944654bac1409e3448c883ad7efa2bc84e7a60fb86072049108403be2fc7d56473aa412a357dc5901727488814ab1e224bd713daf2103853b9505e6e111159c31470ded8a3cc9da2ec2e78b641f9512f30a4330147504d7b087ec5aea520a806280c1929c3d97f5352c4ab7e78a19c46c6fca46dbb2d059f11e947b28d352e78ee82c5173e2372d67b682f522967a2e056bd2f570f483266f4e0897729f58b31462ba5d8aa7b4764566a0a3cf414c36b11b14ef618f4f

Remove old certificate (optional):

    !mod cmd X509 form /item-trusted-bc935fbfe2f788ae7f8d087fefacadebba886fe0764f55510bf4de9dccb9588c26a9c9da on /trusted-delete Remove

Additional Recommendation

If you are using 13r2 or 13r3 firmware and are still connected to the old push-service (services.innovaphone.com), we recommend switching to the new push-service described in the upgrading 13r1 13r2 article. We currently evaluate to change the certificate used on the push-service to an innovaphone CA-signed one, with a longer duration time. This is possible because in 13r2 and 13r3 the PBXManager plugin for Push (i.e. your browser) does not connect to the push service and therefore does not need a certificate that is trusted by all browsers.