Importing intermediate CA certificates

Last Updated : Jun 10, 2026 |

About this task

In some deployments where certificates are imported rather than generated by Avaya Aura® System Manager, server certificates are signed by an intermediate Certificate Authority (CA) rather than a root CA. To use the certificates, a chain of trust is required: The root CA signs the intermediate CA certificate, and the intermediate CA signs the server certificate.

To create a certificate chain, you must concatenate the PEM-format certificate files for the server and the intermediate CA so that the server certificate is first.

Important:

The node and back-end certificates do not support intermediate CAs, and importing certificate chains for those certificates fails.

The following procedure describes how to concatenate the PEM-format certificate files and import the files using the configuration utility.

Procedure

  1. Copy the server certificate file to a new file for concatenation.
    For example: 
    cp server.crt certificate-chain.crt
  2. Concatenate the intermediate certificate file to the file created in the previous step.

    For example:

    cat intermediateca.crt >> certificate-chain.crt
  3. Run the Avaya Aura® Device Services configuration utility using the app configure command.
  4. Select Front-end host, System Manager and Certificate Configuration and do one of the following:

    • If you use Avaya Aura® Device Services in Avaya Aura® environment, continue from step 5.

    • If you use Avaya Aura® Device Services in an environment without Avaya Aura®, continue from step 8.

  5. Configure the System Manager connection details:

    • System Manager FQDN

    • System Manager HTTPS Port or the Front-end port for reverse proxy, if applicable

      To configure the reverse proxy port number, you must first set the Override port for reverse proxy setting to y (yes).

  6. Configure the System Manager Enrollment Password option.

    The System Manager enrollment password is used for adding the certificates to the trust store of the client applications.

  7. Set Use System Manager to n (no).

    The menu displays options for importing individual certificate files.

  8. Select one of the following options to provide the path to the concatenated certificate file:

    • REST interface certificate file

    • OAM interface certificate file

  9. Import the key file of the certificate using the corresponding menu option:

    • REST interface key file

    • OAM interface key file

    The key file does not require alteration. Import the key file as if you are importing individual certificates.

  10. Configure the Keystore password option.

    This password is used for adding the certificates to the trust store of the client applications. The role of the keystore password is similar to the role of the Avaya Aura® System Manager enrollment password in the configurations that use the Avaya Aura® System Manager root certificate.

  11. Restart Avaya Aura® Device Services and check the configuration utility log files to ensure that the certificates were imported successfully.