Howto:Update innovaphone.com Wildcard-Certificate in a Device Trustlist

From innovaphone wiki
Revision as of 16:06, 23 December 2021 by Sga (talk | contribs)
Jump to navigation Jump to search

Applies To

This information applies to

  • All innovaphone IP-Phones and -Gateways with V12r2, V13r1, V13r2

More Information

Problem Details

On 15.02.2022 the current certificate *.innovaphone.com will expire. This is used in the PBX trust list to establish an encrypted connection between your PBX and the innovaphone push service. To ensure that Push also works for your customers after 15.02.2022, this must be added to the trust list of the respective PBX. After 15.02.2022 the old *.innovaphone.com certificate can be deleted. This certificate is currently only relevant for gateways on which Push is running. During the transition period up to and including 15.02.2022, both *.innovaphone.com certificates are required.

Additionally, every time an innovaphone devices is restarted the current *.innovaphone.com certificate generates a x509: A certificate has expired or will expire soon event.

Since we can update the Push-service certificate only on 15.02.2022 (otherwise existing devices without an updated certificate will stop working), it is important to keep until 15.02.2022 both certificates in the Trustlist of devices running a PBX with Push-functionality.

Resolution

Here are three ways to replace the certificate on all innovaphone devices.

1. In the coming 13r2SR8, 13r1 SR 35 and 12r2 SR52 the certificate will be added automatically during the update. After 15.02.2022 the old certificate can be manually deleted. Also, current firmware includes a mechanism to prevent Certificate expiration events in case that a new certificate exists for the same CN. Finally, devices with 13r2SR8, 13r1 SR 35 and 12r2 SR52 firmware will have after a factory reset only the new *.innovaphone.com certificate.

2. The certificate can be added manually on the PBX. It can be downloaded here (will be available shortly) and then be uploaded on the PBX under "General/Certificates/Trust list". After 15.02.2022, the old certificate can be manually deleted.

3. The new certificate can be added, and the old certificate can be deleted via an update server. This needs a reboot of the device. A description of the commands for this procedure will follow shortly.

Additional Recommendation

If you are using 13r2 firmware and are still connect to the old push-service (services.innovaphone.com), we recommend switching to the new push-service described in the upgrading 13r1 13r2 article. We currently evaluate to change the certificate used on the push-service to an innovaphone CA-signed one, with a longer duration time. This is possible because in 13r2 the PBXManager plugin for Push (i.e. your browser) does not connect to the push service and therefore does not need a certificate that is trusted by all browsers.

Retrieved from "https://wiki.innovaphone.com/index.php?title=Howto:Update_innovaphone.com_Wildcard-Certificate_in_a_Device_Trustlist&oldid=60672"