Overview
Each Communication Manager is installed with a temporary identity certificate for SMI Web interface. With Release 10.1, Avaya no longer ships the identity certificate (signed by SIP Product Certificate Authority) that allows Communication Manager to act as a TLS server for SIP trunks, gateways or H.323 stations. You have to manually load an ID certificate for Communication Manager repository to act Communication Manager as TLS server.
Three methods exist for certificate creation/signing:
Import a 3rd party hosted certificate pair (Trusted CA chain and the Identity cert)
Create a signed cert on System Manager and import to Communication Manager
Use Communication Manager’s Certificate Signing Request (CSR) and point to System Manager’s CA or to some other CA for signing.
You should generate 2048 bits, 3072 bits and SHA-2 hash identity certificates with your CA for all Communication Manager services/interfaces, including Telephony service.
Each service or interface can only have ONE identity certificate, but one identity certificate may be copied into multiple repositories.
Note:
Temporary ID certificates have 90 days validity. So, to avoid service outage, temporary ID certificates must be replaced with System Manager or third-party CA certificate. A warning message appears on the SMI page during the first time logon, for which you have to acknowledge. Additionally, you can renew the temporary certificate to avoid interruptions on SMI web interface. This page allows you renew the temporary ID certificate to 90 days. After the temporary certificate is replaced, Communication Manager SMI stops showing the Renew Certificates sub-menu option under the Security menu.
