Session Manager uses five unique certificates:

• WebSphere

• SAL Agent

• Management

• SIP

• HTTPS

SIP and HTTPS are the most important because these certificates communicate with outside entities such as Communication Manager and endpoints.

Any changes to these interfaces can cause major service interruptions. Be very careful when changing these certificates. The near end and far end use the certificates to trust each other. Each side presents its identity certificate during TLS negotiation. If one side does not trust the identity certificate of the other side, the connection fails. For an entity to trust another certificate, the entity must contain the root CA certificate from the CA that issued the identity certificate. Examples of CAs are: VeriSign, Symantec, System Manager, and Avaya's SIP Product CA.

The root CA certificate must be stored in the entity's trusted list, also known as a trust store. To change the SIP or HTTPS identity certificate of a Session Manager, each far-end entity must contain the new root CA certificate in its trusted list. You must add the new root CA certificate to the trusted list of the far end before changing the identity certificates.

To handle certificates for a new installation, do one of the following:

• Use the new ID certificates issued by System Manager. This is the default setting.

• Use the ID certificates issued by a third party.