Certificates required for an Avaya Aura environment

Last Updated : Jun 10, 2026 |

If you plan to deploy Avaya Aura® Device Services in an Avaya Aura® environment and want to use third-party certificates specific to your organization, obtain the following certificates before installing Avaya Aura® Device Services:

  • The System Manager root CA certificate in PEM format in a file with the smgrca.pem file name.

  • The third-party root CA certificate in the PEM format in a file with the root.pem file name.

  • One or more intermediate CA certificates in the PEM format concatenated into a single certificate chain in a file with the intermediate.pem file name.

  • An identity certificate signed by the third-party CA for Avaya Aura® Device Services. The certificate must meet the following requirements:

    • The certificate format is PEM or PKCS12.

    • The Common Name parameter contains the external load balancer FQDN or the Avaya Aura® Device Services virtual IP FQDN.

    • The Subject Alternative Names parameter contains the following entries:

      • FQDNs of all Avaya Aura® Device Services nodes in your deployment.

      • If you want to use the Utility Server: The virtual FQDN of the Utility Server.

        Note:

        In cloud environments, such as Microsoft Azure, Google Cloud Platform, or AWS, this is the FQDN of the external load balancer.

      • If you want to use the onboard Open LDAP: the localhost.localdomain record for IPv4 and the localhost6.localdomain record for IPv6.

  • An identity certificate signed by the third-party CA for System Manager. The certificate must meet the following requirements:

    • The certificate format is PEM or PKCS12.

    • The Common Name parameter contains the virtual FQDN of System Manager.

      Note:

      You must use this FQDN when configuring System Manager settings during Avaya Aura® Device Services installation.

    You must add this certificate to System Manager before starting to install Avaya Aura® Device Services. Otherwise, Avaya Aura® Device Services installation will fail.

  • A third-party CA-signed identity certificate chain to be used for Avaya Aura® Device Services. The certificate chain must be in the PKCS12 format in a file with the identity.p12 file name. The chain must consist of the identity certificate followed by all intermediate CA certificates in a reverse chain order.

    Most third-party CAs use root and intermediate CAs to sign identity certificates. As a result, you must import identity and trust certificate chains to Avaya Aura® Device Services in the PKCS12 format.

Related information
Third-party CA-signed certificates
Configuring third-party identity certificates for System Manager