Signing identity certificates for Avaya Aura Device Services using third-party CA certificates

Last Updated : Jun 10, 2026 |

About this task

You can use the following procedure to sign identity certificates for Avaya Aura® Device Services using third-party CA certificates.

Note:

In the following procedure, the third-party CA certificate can be a public CA or an internal private CA.

Before you begin

  • Create a CSR with the following X509 extensions:

    • keyUsage = nonRepudiation, digitalSignature, keyEncipherment

    • extendedKeyUsage = serverAuth, clientAuth

  • Ensure that the CSR contains the following:

    • If the certificate is only used on the Avaya SBC, the request contains the subjectAltName extension that lists the cluster FQDN in the SAN.

    • If the certificate is used on both Avaya SBC and the Avaya Aura® Device Services server, the request contains the subjectAltName extension that lists the cluster FQDN as well as the FQDN of each cluster member in the SAN. For OpenLDAP, the subjectAltName extension must also include the localhost.localdomain and, for IPv6, localhost6.localdomain records.

      Note:

      From the security perspective, Avaya recommends that you generate separate certificates for each node, including the cluster FQDN and the individual cluster node FQDN in subjectAltName.

  • Do not provide the password for a key because password protected keys are not supported.

  • Ensure that the key generated along with the CSR is stored safely.

  • Ensure that once the certificate is generated, you have received the identity certificate, root CA certificate, and all intermediate CA certificates in the .PEM format from the certification authority. If these certificates are not in the .PEM format, you can convert these certificates using the OpenSSL tool.

  • Generate the identity certificate chain.

  • If you use System Manager certificates in your deployment, obtain the System Manager root CA certificate.

  • Generate the trust certificate chain by concatenating the following certificates into a trustchain.PEM file:

    • All intermediate CA certificates.

    • The root CA certificate.

    • The System Manager root CA certificate.

      Note:

      The System Manager root CA certificate is not required for deployments without Avaya Aura®.

Procedure

  1. Log on to Avaya Aura® Device Services using your SSH credentials.
  2. If you are using reverse proxy on the Avaya SBC to Avaya Aura® Device Services, import the intermediate CA certificate and the root CA certificate to the Avaya SBC trust store.
  3. Run the Avaya Aura® Device Services configuration utility using the app configure command.
  4. Do the following to import intermediate CA certificates to Avaya Aura® Device Services:
    1. Select Add a Certificate to the TrustStore.
    2. Click Select.
    3. Enter the path to the certificate file and then click OK.
    4. Click Apply to import the certificate.
    5. Repeat these steps for all intermediate CA certificates.

    Avaya Aura® Device Services does not import a certificate into the truststore is the certificate has unsupported critical extensions, expired, or if the certificate start date is in the future.

  5. Click Front-end host, System Manager and Certificate Configuration.
  6. Click Use System Manager for Certificates and type n to not use System Manager for certificates.
  7. Click REST Interface certificate configuration. If the certificate is not in the PKCS12 format, type n on the REST Interface certificate configuration screen.
  8. Add the key file to the REST interface PEM key file and the certificate chain to the REST interface PEM certificate file.
  9. Click Signing authority certificate configuration on the Front-end host, System Manager and Certificate Configuration screen.
  10. If the CA root certificate is not in the PKCS12 format, type n.
  11. Click Signing Authority PEM certificate file and add the trustchain.PEM trust certificate chain that you have created.
  12. Click Return to previous menu.
  13. Click Apply.