Security certificates overview

Security certificates are used to establish an encrypted, secure session with the Avaya media server. A certificate contains encryption keys. Once it is accepted, all data transmitted between the server and your browser is encrypted to prevent unauthorized users from intercepting and viewing it (for example, passwords or other sensitive information). This topic covers:

• Types of Avaya security certificates

• Security alerts for server certificates and how to resolve them

• About security certificates

Types of Avaya security certificates

The Avaya media server uses two kinds of security certificates:

• Root certificate. This certificate establishes Avaya Inc. as a trusted Certificate Authority (CA). This certificate should be installed after you log in. See Install Avaya Root Certificate for this procedure.

• Server certificate. A server security certificate is used to verify a server's identity (see About security certificates for details). The server certificate changes every time the server is reconfigured. If the server's name is changed, you may see a security alert the next time you log in.

• The Avaya media server actually provides two server certificates. One is designed for service technicians who must log into many servers; it is issued to the services Ethernet interface address (192.11.13.6) and identifies the certificate authority as the Avaya Call Server. The other is generated with the site-specific server name after the server is configured.

• You must accept or store the server certificate before you can log in to the Avaya media server. Make certain you have a secure connection to the server before doing so. See Server security certificate for acceptance guidelines and procedures.

Security alerts for server certificates

Occasionally a Security Alert screen may appear when you try to log in. This may indicate problems with the server security certificate as noted.

• Company not trusted. This alert appears if Avaya Inc. has not yet been added to the browser's list of trusted authorities. This warning should cease to appear after you install the Avaya root certificate on your browser.

• Certificate date not valid. This alert should not appear under normal circumstances, as the security certificate does not expire for many years. Do not accept the certificate if you see this alert.

• Server name check or mismatch warning. This message indicates that the name of the web server on the security certificate does not match the server name in the browser's Address or Location field. This error can occur in the following cases:

• If a certificate is issued based on the server name and if you try to access the web interface using the server's IP address, you will see this alert. Conversely, if the certificate is issued based on the server's IP address and you try to access it by name, you will also see this alert. It is okay to accept the server certificate in this case.

• On-site technicians log into the Avaya media server from the services interface using IP address 192.11.13.6. Because this is the only active interface on a new Avaya server or on a replacement media server that has been reset to default values, the original security certificate lists 192.11.13.6 as the server name. Technicians should install the Avaya root certificate to stop this alert from appearing again.

• A replacement server that was previously configured for another location may present a security certificate with the name of the server at the previous location. Technicians should accept this certificate for the current session in order to log in and reset to default values.

Do not accept the certificate if you are logging in over the Internet and the server name is not the one that this company has assigned to their Avaya media server.

Additional problems with the security certificate include:

• <browser> encountered bad data from the server. You may see this error if someone else updates the security certificate for the media server while you are accessing the web interface. If this happens:

1. Exit the browser (close the application).

2. Open the browser again, then log back in to the Avaya media server.

3. You will have to accept the new certificate to access the server again.

About security certificates

A security certificate is a small file that is exchanged between a web server and your browser. These certificates can serve two purposes:

• They can be used to verify that the web site with which you are communicating is who it claims to be. That is, a hacker has not stolen its identity.

• They are used to exchange numbers known as encryption keys which are used to encrypt the messages that get exchanged between a web server and your browser. This prevents someone from viewing the content of these messages which could contain important information such as passwords.

Certificates depend on a technology known as public key encryption or PKI. PKI is a technology that uses two encryption keys. One is called the public key and the other the private key. The mathematics behind PKI is such that a message that is encrypted with one of the keys can be decrypted only with the other key. If a web server encrypts a messages with its private key (which it keeps secret), and your browser knows the corresponding public key, (which is made public by the web site), your browser can decrypt the message sent by the web server. If your browser can decrypt the message with the web site's public key, then it knows for sure that the message was encrypted with the corresponding private key and the only server that knows this key is the web site with which it is trying to communicate.

A browser receives the public key in the security certificate that the web site sends it. The browser knows that the certificate came from this site and not from some other site because the certificate is cryptographically signed by a company, known as a Certificate Authority (CA), that the browser has been told to trust. When the browser manufacture delivers its browser software, it delivers a series of well-known certificates from companies such as Verisign or Thawte (certificate authorities). The certificate arriving from the web server tells the browser who signed it. The browser looks up in its list of certificates to see if the signer (certificate authorities) is in the list. If it is, the browser automatically checks the signature on the incoming certificate, and if it is correct, the certificate is accepted; you the user never see this activity. However, if the browser does not find such a certificate, it prompts you to accept the incoming certificate.

The certificates offered by the Avaya media server are signed by Avaya. Browser manufacturers do not include an Avaya Certificate Authority type of certificate with their browsers, because Avaya does not sign certificates for web sites in general. Avaya only signs the certificates for its media server which are used only in this context. Therefore you must incorporate the Avaya certificate yourself.

Again, there are two types of certificates, a server certificate and a Certificate Authority (CA) certificate. The server certificate is automatically sent by the web site for each web session. The CA certificate must be loaded into the browser manually, if it is not already present.  

Example. On Internet Explorer, the Security Alert dialog box is a notice of a server certificate arrival. The browser has made three checks of the arriving server certificate. (These are the three security alerts listed under Security alerts for server certificates.) A yellow triangle next to the first check indicates that the browser does not have the CA certificate that was used to sign the arriving server certificate. The browser cannot validate the authenticity of the arriving certificate and you must make the decision yourself. The second check should show a green circle, indicating that the arriving server certificate has not expired. The third check should also show a green circle, indicating that the value in the browser's address window matches the address that is contained in the arriving certificate (or a triangle in the case of a server name mismatch).  If all three checks would result in a green circle, this screen would not appear at all.  If you install the CA certificate from Avaya, you will no longer get security alert warnings. You can install the Avaya CA (root) certificate after you log in; to log in without having the CA certificate you must accept the server certificate manually.

Related topics

Install Avaya Root Certificate

Laptop connections

Login screen

Server security certificate