tlscertmanage

Last Updated : Apr 05, 2018 |

Syntax

tlscertmanage [ -l ] [ -r # ] [ -i file ][ -h ] [-q]
-l

List all CA (Certificate Authority) certificates on the server.

-r #

Remove a CA (specifiy # 1–8) along with its corresponding file and hash link from the /etc/opt/ecs/certs/CA directory.

Caution:

Applications that depend on certificates will not operate properly if the certificates are removed.

-i file

Install a Certificate Authority into Communication Manager’s trusted certificate repository on disk. This command:

  1. Copies the certificate file from the allowed location in the /etc/opt/ecs/certs/CA directory.

  2. Concatenates the data in the certificate file into the all-ca.crt file.

  3. Creates a link to the newly-copied certificate filename with the certificate’s hash.

The full path to the file must be specified, e.g. tlscertmanage -i /var/home/ftp/pub/newCA.crt

-q

Quiet mode — limit logging and return codes.

-h | -?

Display the descriptions of the command options.

Description

The tlscertmanage (transport layer security certificate management) command facilitates loading a third-party trusted certificate into the Communication Manager repository for use the next time Communication Manager restarts.

CA certificates are now installed from the file system rather than being embedded into the telephony application. When Communication Manager is upgraded from an earlier release, the original Avaya CA certificates are installed. The administrator may then choose to modify the list of trusted CA certificates used by the Communication Manager telephony application to support third-party identity certificates.

To change the Communication Manager telephony application’s CA certificates:

  1. Use tlscertmanage to modify the list using the options described above.

  2. Restart the Communication Manager application (stop -afc, start -ac from the root-level command line).

To identify the latest CA certificates installed in the telephony application, review the Communication Manager log and locate the last section of messages containing the phrase "gip/tls: Loaded trusted CA cert". Each CA certificate installed into the application is recorded in the Communication Manager log, which is viewable using the command vilog.
If the application fails to install any or all specified CA certificates, the Communication Manager log will contain one or more of the following error messages (where x is the Communication Manager release number):

  • CMx_proc_err: pro=7204, err=201, seq=22145,da1=<n>,da2=<max>. This indicates that the number of CA certificates specified exceeds the number supported by the telephony application. <n> is the overlimit value and <max> is the maximum number of certificates supported. To resolve, use tlscertmanage to edit the list, then restart the application.

  • CMx_proc_err: pro=7204, err=201, seq=22146,da1=<n>,da2=0. This indicates that a failure occurred when attempting to install the n’th CA certificate into the application. <n> is the index of the CA certificate list item that failed to install. To resolve, use tlscertmanage to remove, then re-add the certificate. Once re-added, restart the application.

  • CMx_proc_err: pro=7204, err=201, seq=22147,da1=0,da2=0. This indicates that the CA certificate list file, /etc/opt/ecs/certs/CA/all-ca.crt, cannot be opened. This may be due to a user privilege issue or a missing/corrupted file. Use tlscertmanage to reconstruct the CA certificate list, then restart the application.

tlscertmanage informs the administrator upon successfully displaying, adding, or removing CA certificate list entries, and notes that a restart of the application is required if the list has changed. It prompts for confirmation before deleting a CA entry and associated CA files from the file system. It returns a warning message if the CA certificate list is empty.