Importing third-party CA-signed certificates

Last Updated : Jun 05, 2026 |

About this task

If you do not use Avaya Aura® System Manager for certificate management, Avaya Aura® Device Services enables you to use certificates specific to your organization and have the certificates signed by a local or public certificate authority (CA).

The following procedure describes how to import third-party certificate files and corresponding key files using the configuration utility.

Before you begin

Import third-party root and all intermediate CAs into the following trust stores in order:

  • The trust stores of each server that interacts with Avaya Aura® Device Services in your deployment, including System Manager, Session Manager, Avaya Aura® Session Border Controller, and Avaya Meetings Management servers.

  • The Avaya Aura® Device Services trust store. This is required for intra-cluster communications where the Avaya Aura® Device Services identity certificate is presented to other servers within the cluster.

Important:

You must perform the importing in order. Otherwise, a loss of service can occur because Avaya Aura® Device Services cannot communicate with some or all of the mentioned servers.

Procedure

  1. Run the Avaya Aura® Device Services configuration utility using the app configure command.
  2. Select Front-end host, System Manager and Certificate Configuration and do one of the following:

    • If you use Avaya Aura® Device Services in an Avaya Aura® environment, continue from step 3.

    • If you use Avaya Aura® Device Services in an environment without Avaya Aura®, continue from step 6.

  3. Configure the System Manager connection details:

    • System Manager FQDN

    • System Manager HTTPS Port or the Front-end port for reverse proxy, if applicable

      To configure the reverse proxy port number, you must first set the Override port for reverse proxy setting to y (yes).

  4. Configure the System Manager Enrollment Password option.

    The System Manager enrollment password is used for adding the certificates to the trust store of the client applications.

  5. Set Use System Manager to n (no).

    The menu displays options for importing individual certificate files and the corresponding key files.

  6. Configure the following options to provide the paths to the certificate and key files:

    • REST interface key file

    • REST interface certificate file

    • OAM interface key file

    • OAM interface certificate file

    • node key file

    • node certificate file

    • signing authority certificate file

    The certificate and the corresponding key file must be present on the server when they are imported. If one pair of files is not imported because one or both files are missing, the other files may still be imported so that you can selectively replace individual certificates. To generate certificates, you can also use Avaya Aura® System Manager and replace individual certificates, such as the front-end certificates.

  7. Configure the Keystore password option.

    This password is used for adding the certificates to the trust store of the client applications. The role of the keystore password is similar to the role of the Avaya Aura® System Manager enrollment password in the configurations that use the Avaya Aura® System Manager root certificate.

  8. Restart Avaya Aura® Device Services and check the configuration utility log files to ensure that the certificates were imported successfully.