Howto:Update innovaphone.com Wildcard-Certificate in a Device Trustlist: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
| (13 intermediate revisions by 4 users not shown) | |||
| Line 1: | Line 1: | ||
==Applies To== | ==Applies To== | ||
This information applies to | This information applies to | ||
* All innovaphone IP-Phones and -Gateways with 12r2, 13r1, 13r2, 13r3 firmware | |||
* All innovaphone IP-Phones and -Gateways with | |||
==More Information== | ==More Information== | ||
===Problem Details=== | ===Problem Details=== | ||
On 15. | On 15.01.2024 the current certificate <code>*.innovaphone.com</code> will expire. This is used in the PBX trust list to establish an encrypted connection between your PBX and the innovaphone push service. | ||
To ensure that Push also works for your customers after 15. | To ensure that Push also works for your customers after 15.01.2024, this must be added to the trust list of the respective PBX. | ||
After 15. | After 15.01.2024 the old <code>*.innovaphone.com</code> certificate can be deleted. | ||
This certificate is currently only relevant for gateways on which Push is running. During the transition period up to and including 15. | This certificate is currently only relevant for gateways on which Push is running. During the transition period up to and including 15.01.2024, both <code>*.innovaphone.com</code> certificates are required. | ||
Additionally, every time an innovaphone devices is restarted the current <code>*.innovaphone.com</code> certificate generates a [[Reference9:Event/0x000c1001 | x509: A certificate has expired or will expire soon]] event. | Additionally, every time an innovaphone devices is restarted the current <code>*.innovaphone.com</code> certificate generates a [[Reference9:Event/0x000c1001 | x509: A certificate has expired or will expire soon]] event. | ||
Since we can update the Push-service certificate only on 15. | Since we can update the Push-service certificate only on 15.01.2024 (otherwise existing devices without an updated certificate will stop working), it is important to keep until 15.01.2024 both certificates in the Trustlist of devices running a PBX with Push-functionality. | ||
'''If you use the new 14r1 [[Reference14r1:Concept_App_Service_Devices#Certificates_configuration|certificate trustlist concept]] you are not affected, and the certificate will be installed automatically.''' | |||
===Resolution=== | ===Resolution=== | ||
Here are three ways to replace the certificate on all innovaphone devices. | Here are three ways to replace the certificate on all innovaphone devices. | ||
1. In the | 1. In the version 12r2sr65, 13r2Sr30 and 13r3Sr12 the certificate will be added automatically during the update. | ||
After 15. | After 15.01.2024 the old certificate can be manually deleted. Also, current firmware includes a mechanism to prevent ''Certificate expiration events'' in case that a new certificate exists for the same CN. | ||
Finally, devices with | Finally, devices with 12r2sr65, 13r2Sr30 and 13r3Sr12 firmware will have after a factory reset only the new *.innovaphone.com certificate. | ||
2. The certificate can be added manually on the PBX. It can be downloaded [[:Media:Star innovaphone cert | 2. The certificate can be added manually on the PBX. It can be downloaded [[:Media:Star innovaphone cert 2024.zip|here]] and then be uploaded on the PBX under [[Reference12r2:General/Certificates|General/Certificates/Trust list]]. | ||
After 15. | After 15.01.2024, the old certificate can be manually deleted. | ||
3. The new certificate can be added, and the old certificate can be deleted via an update server. This needs a reboot of the device. | 3. The new certificate can be added, and the old certificate can be deleted via commands (which can be sent using an update server or the [[Reference13r3:Concept_App_Service_Devices#Expert_configuration | Expert configuration ]] in 13r3 ''Devices''). This needs a reboot of the device. | ||
Save the new certificate in the trust list: | Save the new certificate in the trust list: | ||
!vars create X509/TRUSTED pba | !vars create X509/TRUSTED pba 3082063d30820525a0030201020211008f6019717ee7577e0afec5f44e49d8de300d06092a864886f70d01010b050030818f310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f726431183016060355040a130f5365637469676f204c696d69746564313730350603550403132e5365637469676f2052534120446f6d61696e2056616c69646174696f6e2053656375726520536572766572204341301e170d3233313132393030303030305a170d3234313232393233353935395a301c311a301806035504030c112a2e696e6e6f766170686f6e652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d2be63142556c121a4ddc121b544ac063c5c6ac9d5a94468ff0b14d0c83618cb9a95409112daa62dc18053606eb9bc973cd1028383f09a67dca0fee9a9a8b897146ccfe55531a9999ba2ea1b473b2791f661bbbefd0eec14e541204d3fa932cea439ac32bbbb8b49efd815a6ed6af7614ddca01720bf44272842cf86062909d1d9be8b884a5a8930412ae71dbd5b28c06d0a4d82e59354c9a183029322e515b6c68a9158c996b61b224ab5c277ebffa7f027d7efb1484f452c94441cce6eed746b4ab9ff477cc45fddff100a5d652e2b675ab755e8c2e9d61542ba30caeb7962c6af5b1d74f3add0d8f7716675275028e2a966c1fc98e3190eac24f1c0e2ba6d0203010001a382030430820300301f0603551d230418301680148d8c5ec454ad8ae177e99bf99b05e1b8018d61e1301d0603551d0e0416041488f8ab525ac415080869d4802c69301c02f2711c300e0603551d0f0101ff0404030205a0300c0603551d130101ff04023000301d0603551d250416301406082b0601050507030106082b0601050507030230490603551d20044230403034060b2b06010401b231010202073025302306082b06010505070201161768747470733a2f2f7365637469676f2e636f6d2f4350533008060667810c01020130818406082b0601050507010104783076304f06082b060105050730028643687474703a2f2f6372742e7365637469676f2e636f6d2f5365637469676f525341446f6d61696e56616c69646174696f6e53656375726553657276657243412e637274302306082b060105050730018617687474703a2f2f6f6373702e7365637469676f2e636f6d302d0603551d110426302482112a2e696e6e6f766170686f6e652e636f6d820f696e6e6f766170686f6e652e636f6d3082017e060a2b06010401d6790204020482016e0482016a016800760076ff883f0ab6fb9551c261ccf587ba34b4a4cdbb29dc68420a9fe6674c5a3a740000018c1a8f6dc9000004030047304502207a7190a77e7a3aab5a4472a5d2c83dd0673488cd4c103985a84dae8448383d91022100f95d389e99f516e6c9320a87fdb3496910d8c430392459153515c4db98e886b50076003f174b4fd7224758941d651c84be0d12ed90377f1f856aebc1bf2885ecf8646e0000018c1a8f6df60000040300473045022021e05b0e5d47268d62aad878f303de581149daa557d0fc4647e4140eb51d9a98022100c760935eb4c420a090e5f495ccaa7acf0ef5170b8a85dac3d475f15c6e8c466f007600eecdd064d5db1acec55cb79db4cd13a23287467cbcecdec351485946711fb59b0000018c1a8f6df8000004030047304502210090e8364d361bf9d11c2d1505da6429ae0915d5bd4576f366ea8698fcd41d4332022044e35001cef19b5599a18adefb1870be0873c9087637bd1f3a707b2b21449e02300d06092a864886f70d01010b0500038201010062719ad3d28649310387ebd69a5062af5cdc7b58b3c9dc9489fb4d9bee003deb2bb9328c945e6ace50b1e57329622cf53fd3a177016a03e8b610c291d4e464363cd6c94b5c7c0fe5e48944654bac1409e3448c883ad7efa2bc84e7a60fb86072049108403be2fc7d56473aa412a357dc5901727488814ab1e224bd713daf2103853b9505e6e111159c31470ded8a3cc9da2ec2e78b641f9512f30a4330147504d7b087ec5aea520a806280c1929c3d97f5352c4ab7e78a19c46c6fca46dbb2d059f11e947b28d352e78ee82c5173e2372d67b682f522967a2e056bd2f570f483266f4e0897729f58b31462ba5d8aa7b4764566a0a3cf414c36b11b14ef618f4f | ||
Remove old certificate: | Remove old certificate (optional): | ||
!mod cmd X509 form /item-trusted- | !mod cmd X509 form /item-trusted-bc935fbfe2f788ae7f8d087fefacadebba886fe0764f55510bf4de9dccb9588c26a9c9da on /trusted-delete Remove | ||
===Additional Recommendation=== | ===Additional Recommendation=== | ||
If you are using 13r2 firmware and are still | If you are using 13r2 or 13r3 firmware and are still connected to the ''old'' push-service (services.innovaphone.com), we recommend switching to the new push-service described in the [[Howto:V13_Firmware_Upgrade_V13r1_V13r2#Push | upgrading 13r1 13r2 article]]. We currently evaluate to change the certificate used on the push-service to an innovaphone CA-signed one, with a longer duration time. This is possible because in 13r2 and 13r3 the PBXManager plugin for Push (i.e. your browser) does not connect to the push service and therefore does not need a certificate that is trusted by all browsers. | ||
<!-- == Related Articles == --> | <!-- == Related Articles == --> | ||
[[Category:Howto|{{PAGENAME}}]] | [[Category:Howto|{{PAGENAME}}]] | ||
Latest revision as of 14:16, 22 December 2023
Applies To
This information applies to
- All innovaphone IP-Phones and -Gateways with 12r2, 13r1, 13r2, 13r3 firmware
More Information
Problem Details
On 15.01.2024 the current certificate *.innovaphone.com will expire. This is used in the PBX trust list to establish an encrypted connection between your PBX and the innovaphone push service.
To ensure that Push also works for your customers after 15.01.2024, this must be added to the trust list of the respective PBX.
After 15.01.2024 the old *.innovaphone.com certificate can be deleted.
This certificate is currently only relevant for gateways on which Push is running. During the transition period up to and including 15.01.2024, both *.innovaphone.com certificates are required.
Additionally, every time an innovaphone devices is restarted the current *.innovaphone.com certificate generates a x509: A certificate has expired or will expire soon event.
Since we can update the Push-service certificate only on 15.01.2024 (otherwise existing devices without an updated certificate will stop working), it is important to keep until 15.01.2024 both certificates in the Trustlist of devices running a PBX with Push-functionality.
If you use the new 14r1 certificate trustlist concept you are not affected, and the certificate will be installed automatically.
Resolution
Here are three ways to replace the certificate on all innovaphone devices.
1. In the version 12r2sr65, 13r2Sr30 and 13r3Sr12 the certificate will be added automatically during the update. After 15.01.2024 the old certificate can be manually deleted. Also, current firmware includes a mechanism to prevent Certificate expiration events in case that a new certificate exists for the same CN. Finally, devices with 12r2sr65, 13r2Sr30 and 13r3Sr12 firmware will have after a factory reset only the new *.innovaphone.com certificate.
2. The certificate can be added manually on the PBX. It can be downloaded here and then be uploaded on the PBX under General/Certificates/Trust list. After 15.01.2024, the old certificate can be manually deleted.
3. The new certificate can be added, and the old certificate can be deleted via commands (which can be sent using an update server or the Expert configuration in 13r3 Devices). This needs a reboot of the device. Save the new certificate in the trust list:
!vars create X509/TRUSTED pba 3082063d30820525a0030201020211008f6019717ee7577e0afec5f44e49d8de300d06092a864886f70d01010b050030818f310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f726431183016060355040a130f5365637469676f204c696d69746564313730350603550403132e5365637469676f2052534120446f6d61696e2056616c69646174696f6e2053656375726520536572766572204341301e170d3233313132393030303030305a170d3234313232393233353935395a301c311a301806035504030c112a2e696e6e6f766170686f6e652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d2be63142556c121a4ddc121b544ac063c5c6ac9d5a94468ff0b14d0c83618cb9a95409112daa62dc18053606eb9bc973cd1028383f09a67dca0fee9a9a8b897146ccfe55531a9999ba2ea1b473b2791f661bbbefd0eec14e541204d3fa932cea439ac32bbbb8b49efd815a6ed6af7614ddca01720bf44272842cf86062909d1d9be8b884a5a8930412ae71dbd5b28c06d0a4d82e59354c9a183029322e515b6c68a9158c996b61b224ab5c277ebffa7f027d7efb1484f452c94441cce6eed746b4ab9ff477cc45fddff100a5d652e2b675ab755e8c2e9d61542ba30caeb7962c6af5b1d74f3add0d8f7716675275028e2a966c1fc98e3190eac24f1c0e2ba6d0203010001a382030430820300301f0603551d230418301680148d8c5ec454ad8ae177e99bf99b05e1b8018d61e1301d0603551d0e0416041488f8ab525ac415080869d4802c69301c02f2711c300e0603551d0f0101ff0404030205a0300c0603551d130101ff04023000301d0603551d250416301406082b0601050507030106082b0601050507030230490603551d20044230403034060b2b06010401b231010202073025302306082b06010505070201161768747470733a2f2f7365637469676f2e636f6d2f4350533008060667810c01020130818406082b0601050507010104783076304f06082b060105050730028643687474703a2f2f6372742e7365637469676f2e636f6d2f5365637469676f525341446f6d61696e56616c69646174696f6e53656375726553657276657243412e637274302306082b060105050730018617687474703a2f2f6f6373702e7365637469676f2e636f6d302d0603551d110426302482112a2e696e6e6f766170686f6e652e636f6d820f696e6e6f766170686f6e652e636f6d3082017e060a2b06010401d6790204020482016e0482016a016800760076ff883f0ab6fb9551c261ccf587ba34b4a4cdbb29dc68420a9fe6674c5a3a740000018c1a8f6dc9000004030047304502207a7190a77e7a3aab5a4472a5d2c83dd0673488cd4c103985a84dae8448383d91022100f95d389e99f516e6c9320a87fdb3496910d8c430392459153515c4db98e886b50076003f174b4fd7224758941d651c84be0d12ed90377f1f856aebc1bf2885ecf8646e0000018c1a8f6df60000040300473045022021e05b0e5d47268d62aad878f303de581149daa557d0fc4647e4140eb51d9a98022100c760935eb4c420a090e5f495ccaa7acf0ef5170b8a85dac3d475f15c6e8c466f007600eecdd064d5db1acec55cb79db4cd13a23287467cbcecdec351485946711fb59b0000018c1a8f6df8000004030047304502210090e8364d361bf9d11c2d1505da6429ae0915d5bd4576f366ea8698fcd41d4332022044e35001cef19b5599a18adefb1870be0873c9087637bd1f3a707b2b21449e02300d06092a864886f70d01010b0500038201010062719ad3d28649310387ebd69a5062af5cdc7b58b3c9dc9489fb4d9bee003deb2bb9328c945e6ace50b1e57329622cf53fd3a177016a03e8b610c291d4e464363cd6c94b5c7c0fe5e48944654bac1409e3448c883ad7efa2bc84e7a60fb86072049108403be2fc7d56473aa412a357dc5901727488814ab1e224bd713daf2103853b9505e6e111159c31470ded8a3cc9da2ec2e78b641f9512f30a4330147504d7b087ec5aea520a806280c1929c3d97f5352c4ab7e78a19c46c6fca46dbb2d059f11e947b28d352e78ee82c5173e2372d67b682f522967a2e056bd2f570f483266f4e0897729f58b31462ba5d8aa7b4764566a0a3cf414c36b11b14ef618f4f
Remove old certificate (optional):
!mod cmd X509 form /item-trusted-bc935fbfe2f788ae7f8d087fefacadebba886fe0764f55510bf4de9dccb9588c26a9c9da on /trusted-delete Remove
Additional Recommendation
If you are using 13r2 or 13r3 firmware and are still connected to the old push-service (services.innovaphone.com), we recommend switching to the new push-service described in the upgrading 13r1 13r2 article. We currently evaluate to change the certificate used on the push-service to an innovaphone CA-signed one, with a longer duration time. This is possible because in 13r2 and 13r3 the PBXManager plugin for Push (i.e. your browser) does not connect to the push service and therefore does not need a certificate that is trusted by all browsers.