Signing identity certificates for Avaya Aura Web Gateway using third-party CA certificates

Last Updated : Aug 16, 2022 |

About this task

You can use the following procedure to sign identity certificates for Avaya Aura® Web Gateway using third-party CA certificates.

Note:

In the following procedure, the third-party CA certificate can be a public CA or an internal private CA.

Before you begin

  • Create a CSR with the following X509 extensions:

    • keyUsage = nonRepudiation, digitalSignature, keyEncipherment

    • extendedKeyUsage = serverAuth, clientAuth

  • Ensure that the CSR contains the following:

    • If the certificate is only used on the Avaya SBC, the request contains the subjectAltName extension that lists the cluster FQDN in the SAN.

    • If the certificate is used on both Avaya SBC and the Avaya Aura® Web Gateway server, the request contains the subjectAltName extension that lists the cluster FQDN as well as the FQDN of each cluster member in the SAN.

      Note:

      From the security perspective, Avaya recommends that you generate separate certificates for each node, including the cluster FQDN and the individual cluster node FQDN in subjectAltName.

  • Do not provide the password for a key because password protected keys are not supported.

  • Ensure that the key generated along with the CSR is stored safely.

  • Ensure that once the certificate is generated, you have received the identity certificate, root CA certificate, and all intermediate CA certificates in the .PEM format from the certification authority. If these certificates are not in the .PEM format, you can convert these certificates using the OpenSSL tool.

  • Generate the identity certificate chain as described in Generating an identity certificate chain.

  • Obtain the System Manager root CA certificate.

  • Generate the trust certificate chain by concatenating the following certificates into a trustchain.PEM file:

    • All intermediate CA certificates.

    • The root CA certificate.

    • The System Manager root CA certificate.

Procedure

  1. Log on to Avaya Aura® Web Gateway using your SSH credentials.
  2. If you are using reverse proxy on the Avaya SBC to Avaya Aura® Web Gateway, import the intermediate CA certificate and the root CA certificate to the Avaya SBC trust store.
  3. Run the Avaya Aura® Web Gateway configuration utility using the app configure command.
  4. Do the following to import intermediate CA certificates to Avaya Aura® Web Gateway:
    1. Select Add a Certificate to the TrustStore.
    2. Click Select.
    3. Enter the path to the certificate file and then click OK.
    4. Click Apply to import the certificate.
    5. Repeat these steps for all intermediate CA certificates.

    Avaya Aura® Web Gateway does not import a certificate into the truststore is the certificate has unsupported critical extensions, expired, or if the certificate start date is in the future.

  5. Click Front-end host, System Manager and Certificate Configuration.
  6. Click Use System Manager for Certificates and type n to not use System Manager for certificates.
  7. Click REST Interface certificate configuration. If the certificate is not in the PKCS12 format, type n on the REST Interface certificate configuration screen.
  8. Add the key file to the REST interface PEM key file and the certificate chain to the REST interface PEM certificate file.
  9. Click Signing authority certificate configuration on the Front-end host, System Manager and Certificate Configuration screen.
  10. If the CA root certificate is not in the PKCS12 format, type n.
  11. Click Signing Authority PEM certificate file and add the trustchain.PEM trust certificate chain that you have created.
  12. Click Return to previous menu.
  13. Click Apply.