We noted before that an IPVA does not have physical interfaces except for the virtual network adapter. However, it also does not have a reset button. So how can we reset an IPVA to factory defaults?

To understand how that works you need to know that resetting an innovaphone device to factory defaults means to bring its flash memory into the initial state. For an IPVA, the flash memory is emulated using a plain file on the host system. So to reset the IPVA to factory defaults, we must replace this file with the initial file we used when importing the virtual machine.

This file can be found in the IPVA package we downloaded earlier. Look for the hd-flash.vhd file  in the ipva-vhd\bin\vhd\Virtual Hard Disks folder.

You then need to copy this file to the file that is used to emulate the IPVAs flash memory. You can find the name and location of this file in the  virtual machine's settings for the hard drive on IDE Controller 1, Location 0.

Of course, instead of copying this file, you may also use a fresh and empty file. See section How to create a flash file in Setting up a virtual appliance on Hyper-V (IPVA) for an option to create such a file.

As we said before, the IPVA comes for free.

innovaphone's hardware devices have a built-in device specific certificate which is used for example when a TLS connection (e.g. HTTPS) is established from the device. It has the device's serial number as part of it's CN. It is issued by innovaphone Device Certification Authority or innovaphone Device Certification Authority 2 which are trusted certification authorities (CA) run by innovaphone.

While a self-signed certificate will do in many situations, it is of no use when the certificate is used to authenticate towards the other end of a connection. This is because it is not issued by a trusted CA and therefore can not be trusted itself.

A prominent example for such authentication is when a PBX registers to innovaphone's Push service. From v13r2, this is authenticated using the calling devices certificate. So this won't work with a self-signed certificate.

The self-signed device certificate of an IPVA must be replaced with a trusted device certificate issued by innovaphone's CA.

The way you obtain a device certificate for your IPVA is through the  my.innovaphone.com site. The portal my.innovaphone is available for distributors, resellers and customers with access to the License Manager, RMA Manager, Configurator and other services with a uniform login.

There are only a few steps to obtain your IPVA's device certificate and we'll go through them in a minute. The portal requires a personalized login which you can easily  create yourself. Once you have done so, the administrator of your company account would invite you to the company's account (or you create one yourself if you are the first person in your company using the portal). In real life, you always must use a personal account and never share your account with another individual!

However, for simplicity, in this training (and only in this training!) we will all use a single account which belongs to a pseudo company to obtain our device certificate. The account to be used is john.doe@ckls.net and the password is innovaphone-training.

If you already have a personalized account for the portal, please be sure to log out from this account before you proceed!

To obtain the certificate, you a) need to add the MAC address to the my.innovaphone portal and then download the certificate to your device.

Here are the steps to add your IPVA's MAC address to the portal:

• open  portal.innovaphone.com. Here in the training (and only in the training), please neither use your own account (if you already have one) nor create a new personal account!
  
• instead, use the  I already have a personal user account option with john.doe@ckls.net as E-mail and innovaphone-training as Password. You will be logged in to JOHN DOE'S TRAINING COMPANY
• switch to the Licenses tab and  select the DEFAULT project
• then switch to the Devices tab and  click on Add and Single device
• enter your IPVA's MAC address (00-03-FF-07-1F-F1 in your case) as Device and proceed with Next
• there are 3 options now:
  
  
• somebody has already added this serial number to the portal during a previous training. The portal would  flag the device as already imported. In this case, never mind, you're fine. Simply Cancel the add process
  
  
• somebody has already added this serial number to the portal for a different company. An IPVA MAC address can not be defined in more than one company and the portal would  flag the device as a duplicate. In this case, you can't use this MAC address and you must choose another one (e.g. 00-03-FF-07-1F-E1) in your IPVA1 setup.
  Please do not modify the 4th and 5th byte of the MAC address in this case (07-1F in your case) as this will likely result in a conflict with a fellow trainee in your course
  
  
• the serial number is unknown yet. The portal would let you  add a comment (use IPVA1 as comment) and add with OK

On the IPVA's General / License tab:

• click  on my.innovaphone.com. This will open a dialog which instructs the device (IPVA1) to interact with the my.innovaphone portal
•  enter your personal user account credentials(well, John Doe's in this case: john.doe@ckls.net and innovaphone-training) into the form
  
  You may or may not save your credentials for later use. You can as well type them in whenever you use this form
  
  
• click on Download certificate to ask the portal for a trusted certificate (if this fails, you have most likely mistype the portal credentials or the MAC address you added to the DEFAULT project)
  
• finally switch to the General/Certificates tab and  see the new device certificate which has your MAC address in the Subject field and is signed by innovaphone's trusted CA

If the Download certificate is not available in the dialog you opened above, your IPVA already has downloaded the certificate from my.innovaphone.com before.

As you have learned in a previous course, it is often necessary to  install your own company's wildcard certificate on a PBX (or a reverse proxy).

So does that conflict with the device certificate we download from the my.innovaphone portal in the previous step?

In fact, if you upload your own (wildcard) certificate as Device Certificate in General/Certificates, the trusted certificate we downloaded before will vanish from the list in the Device certificate section and be replaced by the one you upload.

In  this example, we uploaded a certificate for pappstrasse.ckls.net from the file all.pem).

However, the previous device certificate is not gone. It is just "shadowed" by the one we uploaded manually. You can see that if you remove the uploaded certificate (using the Clear button): the trusted certificate is still there and  shown again. The IPVA will use the proper certificate automatically, depending on the use context. So the two certificates do not conflict.

Btw: the only way to get rid of the downloaded trusted certificate is a factory reset.