Howto:Update innovaphone.com Wildcard-Certificate in a Device Trustlist: Difference between revisions
m (→Resolution) |
No edit summary |
||
Line 2: | Line 2: | ||
This information applies to | This information applies to | ||
* All innovaphone IP-Phones and -Gateways with | * All innovaphone IP-Phones and -Gateways with 12r2, 13r1, 13r2, 13r3 firmware | ||
<!-- Keywords: 13r2 13r1 12r2 zertifikat trust list --> | <!-- Keywords: 13r3 13r2 13r1 12r2 zertifikat trust list --> | ||
==More Information== | ==More Information== | ||
===Problem Details=== | ===Problem Details=== | ||
On | On 10.02.2023 the current certificate <code>*.innovaphone.com</code> will expire. This is used in the PBX trust list to establish an encrypted connection between your PBX and the innovaphone push service. | ||
To ensure that Push also works for your customers after | To ensure that Push also works for your customers after 10.02.2023, this must be added to the trust list of the respective PBX. | ||
After | After 10.02.2023 the old <code>*.innovaphone.com</code> certificate can be deleted. | ||
This certificate is currently only relevant for gateways on which Push is running. During the transition period up to and including | This certificate is currently only relevant for gateways on which Push is running. During the transition period up to and including 10.02.2023, both <code>*.innovaphone.com</code> certificates are required. | ||
Additionally, every time an innovaphone devices is restarted the current <code>*.innovaphone.com</code> certificate generates a [[Reference9:Event/0x000c1001 | x509: A certificate has expired or will expire soon]] event. | Additionally, every time an innovaphone devices is restarted the current <code>*.innovaphone.com</code> certificate generates a [[Reference9:Event/0x000c1001 | x509: A certificate has expired or will expire soon]] event. | ||
Since we can update the Push-service certificate only on | Since we can update the Push-service certificate only on 10.02.2023 (otherwise existing devices without an updated certificate will stop working), it is important to keep until 10.02.2023 both certificates in the Trustlist of devices running a PBX with Push-functionality. | ||
===Resolution=== | ===Resolution=== | ||
Here are three ways to replace the certificate on all innovaphone devices. | Here are three ways to replace the certificate on all innovaphone devices. | ||
1. In the coming | 1. In the coming 13r3SR1, 13r2SR19, 13r1SR45 and 12r2SR59 the certificate will be added automatically during the update. | ||
After | After 10.02.2023 the old certificate can be manually deleted. Also, current firmware includes a mechanism to prevent ''Certificate expiration events'' in case that a new certificate exists for the same CN. | ||
Finally, devices with | Finally, devices with 13r3SR1, 13r2SR19, 13r1SR45 and 12r2SR59 firmware will have after a factory reset only the new *.innovaphone.com certificate. | ||
2. The certificate can be added manually on the PBX. It can be downloaded [[:Media:Star innovaphone cert | 2. The certificate can be added manually on the PBX. It can be downloaded [[:Media:Star innovaphone cert 2023.zip|here]] and then be uploaded on the PBX under "General/Certificates/Trust list". | ||
After | After 10.02.2023, the old certificate can be manually deleted. | ||
3. The new certificate can be added, and the old certificate can be deleted via an update server. This needs a reboot of the device. | 3. The new certificate can be added, and the old certificate can be deleted via an update server. This needs a reboot of the device. | ||
Save the new certificate in the trust list: | Save the new certificate in the trust list: | ||
!vars create X509/TRUSTED pba | !vars create X509/TRUSTED pba 3082063c30820524a00302010202100285316ba8a697307deb090e905e5ddb300d06092a864886f70d01010b050030818f310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f726431183016060355040a130f5365637469676f204c696d69746564313730350603550403132e5365637469676f2052534120446f6d61696e2056616c69646174696f6e2053656375726520536572766572204341301e170d3233303130323030303030305a170d3234303131353233353935395a301c311a301806035504030c112a2e696e6e6f766170686f6e652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100bc4e82741c02ddbf08e1aa111994f1262a27473332292acbd17cef35c1151b4fb89969b51a795d5295618569850eea27d7be512ec8f1da18b8178b35e17f520b9444a0295aa51f589a9d79fce09ef387eeb4dc15899e3c01f9e212902c92208d26573168fb05422601199802dbb5b6c0e76e0e31ad80281d1e43d66b717c012e7bba8b0b941e8ba5a964da680ddc8af69bed3a69fa98742af6e4629e36605c6f3b8b36e22edbdc1d7d010fd553f41999f9f1eb4b1dc6aa28fb3317c5d7a42f03236176bae412df4aa99df43197395de2d9fb90f4c17987b3e22eb36793ede35d25fbe6264d531efe15796959d45d51fd45df523622f02a0b873712603455a4590203010001a382030430820300301f0603551d230418301680148d8c5ec454ad8ae177e99bf99b05e1b8018d61e1301d0603551d0e04160414e88797f85c1fe13df35ffafa2448c61ee45fb96f300e0603551d0f0101ff0404030205a0300c0603551d130101ff04023000301d0603551d250416301406082b0601050507030106082b0601050507030230490603551d20044230403034060b2b06010401b231010202073025302306082b06010505070201161768747470733a2f2f7365637469676f2e636f6d2f4350533008060667810c01020130818406082b0601050507010104783076304f06082b060105050730028643687474703a2f2f6372742e7365637469676f2e636f6d2f5365637469676f525341446f6d61696e56616c69646174696f6e53656375726553657276657243412e637274302306082b060105050730018617687474703a2f2f6f6373702e7365637469676f2e636f6d302d0603551d110426302482112a2e696e6e6f766170686f6e652e636f6d820f696e6e6f766170686f6e652e636f6d3082017e060a2b06010401d6790204020482016e0482016a016800760076ff883f0ab6fb9551c261ccf587ba34b4a4cdbb29dc68420a9fe6674c5a3a740000018572c829bc000004030047304502204d14262d42aea5612c232476f7091c246fadf7ce33b8690c3cc29fdf02c4e80d022100d51a3735fed4bbd756e98c991460daa089052346b058b8029d2b958305475857007600dab6bf6b3fb5b6229f9bc2bb5c6be87091716cbb51848534bda43d3048d7fbab0000018572c82985000004030047304502203dc39a3cac34bed871d2b90b5f1a05a09261919376662745adeb4e362934f1c0022100fc9c1ce84c64efc34cec1c77827472b3fbebc564293f7f695c768b45eca0a6be007600eecdd064d5db1acec55cb79db4cd13a23287467cbcecdec351485946711fb59b0000018572c829590000040300473045022100cefeddb96c916ee11a55e97595eeeacd09ebc84882ba1b6aa55afe8b70f9216102204f362da024bd94dbd415fa2ed68269a3eb3f46a375b46beb4541e1b41bee031f300d06092a864886f70d01010b0500038201010056dfc40a8bfe210706fe54e3130e812ff08ebbcf01f62c32494f150861b614e3e0f7ecf09c3fd429c45605cb642bbc3efd897ee62c745216e19f4163e0dd3b678046ea50f7c23db10c36392ac6185182b9a2228740bbd3405e296ee7f6299a7a04511d6ecca683cdf0de93ee7a4966d1bab1300ad437e3817415eae048725b7bfe77bb25e2f0d42b8a4435fc59e00e65999a710f2c8c640c2124caa6f75dbc21651aa8c6a82122e671870beea82ae7e147f045deb7e7b1a1abbe6c72ea75f894fd07ba9785ac08ea37d734ba0ef63311ae89be606cd1433befceb82377fdadf5225878b93e1157af7c76fc5dd7f4782a307a5bc508f74353ba2d9fe3b09ec7ca | ||
Remove old certificate (optional): | Remove old certificate (optional): | ||
!mod cmd X509 form /item-trusted- | !mod cmd X509 form /item-trusted-7de567ad89fbc7c317f6182f60fe1a6454bb12ccd27603ff3e1cecaea62b40d3f3b07ebf on /trusted-delete Remove | ||
===Additional Recommendation=== | ===Additional Recommendation=== | ||
If you are using 13r2 firmware and are still connect to the ''old'' push-service (services.innovaphone.com), we recommend switching to the new push-service described in the [[Howto:V13_Firmware_Upgrade_V13r1_V13r2#Push | upgrading 13r1 13r2 article]]. We currently evaluate to change the certificate used on the push-service to an innovaphone CA-signed one, with a longer duration time. This is possible because in 13r2 the PBXManager plugin for Push (i.e. your browser) does not connect to the push service and therefore does not need a certificate that is trusted by all browsers. | If you are using 13r2 or 13r3 firmware and are still connect to the ''old'' push-service (services.innovaphone.com), we recommend switching to the new push-service described in the [[Howto:V13_Firmware_Upgrade_V13r1_V13r2#Push | upgrading 13r1 13r2 article]]. We currently evaluate to change the certificate used on the push-service to an innovaphone CA-signed one, with a longer duration time. This is possible because in 13r2 and 13r3 the PBXManager plugin for Push (i.e. your browser) does not connect to the push service and therefore does not need a certificate that is trusted by all browsers. | ||
<!-- == Related Articles == --> | <!-- == Related Articles == --> | ||
[[Category:Howto|{{PAGENAME}}]] | [[Category:Howto|{{PAGENAME}}]] |
Revision as of 12:02, 9 January 2023
Applies To
This information applies to
- All innovaphone IP-Phones and -Gateways with 12r2, 13r1, 13r2, 13r3 firmware
More Information
Problem Details
On 10.02.2023 the current certificate *.innovaphone.com
will expire. This is used in the PBX trust list to establish an encrypted connection between your PBX and the innovaphone push service.
To ensure that Push also works for your customers after 10.02.2023, this must be added to the trust list of the respective PBX.
After 10.02.2023 the old *.innovaphone.com
certificate can be deleted.
This certificate is currently only relevant for gateways on which Push is running. During the transition period up to and including 10.02.2023, both *.innovaphone.com
certificates are required.
Additionally, every time an innovaphone devices is restarted the current *.innovaphone.com
certificate generates a x509: A certificate has expired or will expire soon event.
Since we can update the Push-service certificate only on 10.02.2023 (otherwise existing devices without an updated certificate will stop working), it is important to keep until 10.02.2023 both certificates in the Trustlist of devices running a PBX with Push-functionality.
Resolution
Here are three ways to replace the certificate on all innovaphone devices.
1. In the coming 13r3SR1, 13r2SR19, 13r1SR45 and 12r2SR59 the certificate will be added automatically during the update. After 10.02.2023 the old certificate can be manually deleted. Also, current firmware includes a mechanism to prevent Certificate expiration events in case that a new certificate exists for the same CN. Finally, devices with 13r3SR1, 13r2SR19, 13r1SR45 and 12r2SR59 firmware will have after a factory reset only the new *.innovaphone.com certificate.
2. The certificate can be added manually on the PBX. It can be downloaded here and then be uploaded on the PBX under "General/Certificates/Trust list". After 10.02.2023, the old certificate can be manually deleted.
3. The new certificate can be added, and the old certificate can be deleted via an update server. This needs a reboot of the device. Save the new certificate in the trust list:
!vars create X509/TRUSTED pba 3082063c30820524a00302010202100285316ba8a697307deb090e905e5ddb300d06092a864886f70d01010b050030818f310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f726431183016060355040a130f5365637469676f204c696d69746564313730350603550403132e5365637469676f2052534120446f6d61696e2056616c69646174696f6e2053656375726520536572766572204341301e170d3233303130323030303030305a170d3234303131353233353935395a301c311a301806035504030c112a2e696e6e6f766170686f6e652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100bc4e82741c02ddbf08e1aa111994f1262a27473332292acbd17cef35c1151b4fb89969b51a795d5295618569850eea27d7be512ec8f1da18b8178b35e17f520b9444a0295aa51f589a9d79fce09ef387eeb4dc15899e3c01f9e212902c92208d26573168fb05422601199802dbb5b6c0e76e0e31ad80281d1e43d66b717c012e7bba8b0b941e8ba5a964da680ddc8af69bed3a69fa98742af6e4629e36605c6f3b8b36e22edbdc1d7d010fd553f41999f9f1eb4b1dc6aa28fb3317c5d7a42f03236176bae412df4aa99df43197395de2d9fb90f4c17987b3e22eb36793ede35d25fbe6264d531efe15796959d45d51fd45df523622f02a0b873712603455a4590203010001a382030430820300301f0603551d230418301680148d8c5ec454ad8ae177e99bf99b05e1b8018d61e1301d0603551d0e04160414e88797f85c1fe13df35ffafa2448c61ee45fb96f300e0603551d0f0101ff0404030205a0300c0603551d130101ff04023000301d0603551d250416301406082b0601050507030106082b0601050507030230490603551d20044230403034060b2b06010401b231010202073025302306082b06010505070201161768747470733a2f2f7365637469676f2e636f6d2f4350533008060667810c01020130818406082b0601050507010104783076304f06082b060105050730028643687474703a2f2f6372742e7365637469676f2e636f6d2f5365637469676f525341446f6d61696e56616c69646174696f6e53656375726553657276657243412e637274302306082b060105050730018617687474703a2f2f6f6373702e7365637469676f2e636f6d302d0603551d110426302482112a2e696e6e6f766170686f6e652e636f6d820f696e6e6f766170686f6e652e636f6d3082017e060a2b06010401d6790204020482016e0482016a016800760076ff883f0ab6fb9551c261ccf587ba34b4a4cdbb29dc68420a9fe6674c5a3a740000018572c829bc000004030047304502204d14262d42aea5612c232476f7091c246fadf7ce33b8690c3cc29fdf02c4e80d022100d51a3735fed4bbd756e98c991460daa089052346b058b8029d2b958305475857007600dab6bf6b3fb5b6229f9bc2bb5c6be87091716cbb51848534bda43d3048d7fbab0000018572c82985000004030047304502203dc39a3cac34bed871d2b90b5f1a05a09261919376662745adeb4e362934f1c0022100fc9c1ce84c64efc34cec1c77827472b3fbebc564293f7f695c768b45eca0a6be007600eecdd064d5db1acec55cb79db4cd13a23287467cbcecdec351485946711fb59b0000018572c829590000040300473045022100cefeddb96c916ee11a55e97595eeeacd09ebc84882ba1b6aa55afe8b70f9216102204f362da024bd94dbd415fa2ed68269a3eb3f46a375b46beb4541e1b41bee031f300d06092a864886f70d01010b0500038201010056dfc40a8bfe210706fe54e3130e812ff08ebbcf01f62c32494f150861b614e3e0f7ecf09c3fd429c45605cb642bbc3efd897ee62c745216e19f4163e0dd3b678046ea50f7c23db10c36392ac6185182b9a2228740bbd3405e296ee7f6299a7a04511d6ecca683cdf0de93ee7a4966d1bab1300ad437e3817415eae048725b7bfe77bb25e2f0d42b8a4435fc59e00e65999a710f2c8c640c2124caa6f75dbc21651aa8c6a82122e671870beea82ae7e147f045deb7e7b1a1abbe6c72ea75f894fd07ba9785ac08ea37d734ba0ef63311ae89be606cd1433befceb82377fdadf5225878b93e1157af7c76fc5dd7f4782a307a5bc508f74353ba2d9fe3b09ec7ca
Remove old certificate (optional):
!mod cmd X509 form /item-trusted-7de567ad89fbc7c317f6182f60fe1a6454bb12ccd27603ff3e1cecaea62b40d3f3b07ebf on /trusted-delete Remove
Additional Recommendation
If you are using 13r2 or 13r3 firmware and are still connect to the old push-service (services.innovaphone.com), we recommend switching to the new push-service described in the upgrading 13r1 13r2 article. We currently evaluate to change the certificate used on the push-service to an innovaphone CA-signed one, with a longer duration time. This is possible because in 13r2 and 13r3 the PBXManager plugin for Push (i.e. your browser) does not connect to the push service and therefore does not need a certificate that is trusted by all browsers.