Howto:Update innovaphone.com Wildcard-Certificate in a Device Trustlist
Applies To
This information applies to
- All innovaphone IP-Phones and -Gateways with 12r2, 13r3, 14r1, 14r2 firmware
More Information
Problem Details
On 29.12.2024 the current certificate *.innovaphone.com will expire. We will renew this certificate on 27.12.2024. This is used in the PBX trust list to establish an encrypted connection between your PBX and the innovaphone push service.
To ensure that Push also works for your customers after 26.12.2024, this must be added to the trust list of the respective PBX.
After 27.12.2024 the old *.innovaphone.com certificate can be deleted.
This certificate is currently only relevant for gateways on which Push is running. During the transition period up to and including 27.12.2024, both *.innovaphone.com certificates are required.
Additionally, every time an innovaphone devices is restarted, the current *.innovaphone.com certificate generates a x509: A certificate has expired or will expire soon event.
Since we can update the Push-service certificate only on 27.12.2024 (otherwise existing devices without an updated certificate will stop working), it is important to keep until 27.12.2024 both certificates in the trustlist of devices running a PBX with Push-functionality.
If you use the Devices - certificate trustlist concept you are not affected, and the certificate will be installed automatically.
Resolution
Here are three ways to replace the certificate on all innovaphone devices.
1. In the version 12r2sr72, 13r3sr22, 14r1sr10 and 14r2sr5 the certificate will be added automatically during the update. After 27.12.2024 the old certificate can be manually deleted. Also, current firmware includes a mechanism to prevent Certificate expiration events in case that a new certificate exists for the same CN. Finally, devices with 12r2sr72, 13r3sr22, 14r1sr10 and 14r2sr5 firmware will have after a factory reset only the new *.innovaphone.com certificate.
2. The certificate can be added manually on the PBX. It can be downloaded here and then be uploaded on the PBX under General/Certificates/Trust list. After 27.12.2024, the old certificate can be manually deleted.
3. The new certificate can be added, and the old certificate can be deleted via commands (which can be sent using an update server or the Expert configuration in Devices). This needs a reboot of the device. Save the new certificate in the trust list:
!vars create X509/TRUSTED pba 3082063e30820526a00302010202107ac11bffa149788852b63d5a31ce0959300d06092a864886f70d01010b050030818f310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f726431183016060355040a130f5365637469676f204c696d69746564313730350603550403132e5365637469676f2052534120446f6d61696e2056616c69646174696f6e2053656375726520536572766572204341301e170d3234313132393030303030305a170d3235313233303233353935395a301c311a301806035504030c112a2e696e6e6f766170686f6e652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100b94fa779dc824ea7e561d83ed2f2b3fd293752832526af285af8e728668323b3d7444e724dbd4a2792998c0eabbac0ec1fcb1ebc7db5dcb174cd74a8aa9763e3eeb2541f2302bcad45b3f4d09a95876ef15e670db519f5bd0b5092389f995e8e0a9241ee462fd34d3af41df4693b571b1bf1dfb4a74ab5a70e68e87c2c12c0e3be5b408ec4d61099f79338dcfa73277d4a237065946795753edb89c9f234329a7b5a47ebc87e86f779281b9381072e1db4f57a3b9f8df67bf65e6090d2ea2ab93deb0b9013b0f762977726c6708b33137d599f82c15c2d72a76e568e22a3fb717c9ddbc9e33b12aacb9fcb543df52f3520f117d0647617801a24d651709645fd0203010001a382030630820302301f0603551d230418301680148d8c5ec454ad8ae177e99bf99b05e1b8018d61e1301d0603551d0e04160414172bc6fe5fa1ed78d9f49257924a714a950d4503300e0603551d0f0101ff0404030205a0300c0603551d130101ff04023000301d0603551d250416301406082b0601050507030106082b0601050507030230490603551d20044230403034060b2b06010401b231010202073025302306082b06010505070201161768747470733a2f2f7365637469676f2e636f6d2f4350533008060667810c01020130818406082b0601050507010104783076304f06082b060105050730028643687474703a2f2f6372742e7365637469676f2e636f6d2f5365637469676f525341446f6d61696e56616c69646174696f6e53656375726553657276657243412e637274302306082b060105050730018617687474703a2f2f6f6373702e7365637469676f2e636f6d302d0603551d110426302482112a2e696e6e6f766170686f6e652e636f6d820f696e6e6f766170686f6e652e636f6d30820180060a2b06010401d679020402048201700482016c016a007700dddcca3495d7e11605e79532fac79ff83d1c50dfdb003a1412760a2cacbbc82a00000193788b6e35000004030048304602210095e474cfc8cb1391e90503117fbb02b3f218adc046ad654a742c554cea1aabb50221009ec6324267f294e3fd82042edc4f75b3d5045186a2c8d7a132cfb930040e6813007700ccfb0f6a85710965fe959b53cee9b27c22e9855c0d978db6a97e54c0fe4c0db000000193788b6df6000004030048304602210096c02ff89884ff81f1d1e06965cc8639e5775eda2548cdf6f1492fe9388edf1a022100f67955e0066763ba7f23020130fe625f9c41cbe5f49626ca71076202ffdece3300760012f14e34bd53724c840619c38f3f7a13f8e7b56287889c6d300584ebe586263a00000193788b6dd50000040300473045022100abec85798805aafecc03b4b9b6e0dbb2beab28b9a5d36ed5021a4fb40e477ed40220131255263bdf66bc618f9f531dedb249c30c6b5f98be23ced37100c7166571c2300d06092a864886f70d01010b05000382010100592acc609c02195145ee6abf875f3ced94e039f83e2f88022013ea40c65ae4738d80a07e518a28f996726422fefa2f53d04aa3635fe98c4c882132f86d92924bace80c185f6fea710bbf48ce12da24440651e6b58cf4f2101634a4c6ca506ea0a75a00266eca09f275d3389ae673fb48e9b587477ba642f95000b4331dd682426be4ac59dfc8e859f8771d1bf98fe7a95dade3f53844c774376f4ca2067953202ac4e1089bd179f124f3eac09d020eadf36b1b018caece0f7159c279801358f9b9b6f15e0d92b4784f5f49ba343b36baa1faab04ab29d6377ba2f9b8760b4a8ae88009de395c580ad97518697cb3a950762fe218b6d965a46eb0c6733f2017f7
Remove old certificate (optional):
!mod cmd X509 form /item-trusted-3ccaa98ee59e6fd2ae91299fab78970d4f9f39a37eed987b32982e6a8a201afb70f7068f on /trusted-delete Remove
Additional Recommendation
If you are still connected to the old push-service (services.innovaphone.com), we recommend switching to the new push-service described in the Push Migration (Shutdown planned for 31.12.2024). We currently evaluate to change the certificate used on the push-service to an innovaphone CA-signed one, with a longer duration time.