Avaya Support Forums

Avaya Support Forums (http://support.avaya.com/forums/index.php)
-   Telephones, Adjuncts, and Adapters (http://support.avaya.com/forums/forumdisplay.php?f=27)
-   -   Renewing VPN Phone Certificate SCEP - MYCERTRENEW 9611G and 9630G (http://support.avaya.com/forums/showthread.php?t=5987)

mbong 02-03-2015 12:53 PM

Renewing VPN Phone Certificate SCEP - MYCERTRENEW 9611G and 9630G

We have VPN phones working well configured for user authentication along with a device certificate downloaded to the phone upon programming. The certificate is obtained using the Simple Certificate Enrollment Process (SCEP) from an MS Certificate Authority server.

We have this setup configured with 4621SW, 9630G (3.10S fw) and 9611G (6.3037 fw) phones. We currently reprogram phones with a new device certificate when one expires. However, there seems to be a way to automatically renew the certificate on 96x0 and 96x1 phones as evidenced by this parameter found in the settings.txt file:

## MYCERTRENEW specifies the percentage of the identity certificate's
## Validity interval after which renewal procedures will be initiated.
## Valid values are 1 through 99; the default value is 90.
## This parameter is supported by:
## 96x1 H.323 R6.0 and later
## 96x1 SIP R6.0 and later
## 96x0 H.323 R3.1 and later
## 96x0 SIP R1.0 and later

I have opened tickets with Avaya and have not been able to receive much information on this. Based on firmware change-logs for these set types, it is supposed to work, but there doesn't seem to be any documentation specifically regarding the exact way this works.

Has anyone gotten this to work and/or can shed light on the following questions I have?

- When the phone initiates the renewal procedure, can the requests be seen on the MS certificate server? If so, where can we see this?
- How often does the phone initiate the procedure before it is successful and/or does it stop after a certain point of failure?

agronw 06-01-2015 05:13 AM

Hi, I am interested in an answer as well... regards, andre

fwilkepcs 06-01-2015 03:42 PM

I recently used that option with a customer who uses certificates and SIP for EAP TLS Radius authentication. It is documented that Mycertrenew defines the percentage of the certificate lifetime after that the phone will try to request a new certificate after 90% of the certificate lifetime. I set it to 1 to try and we could see that new certificates are generated every seven days in my example.

You should be able to see new generated certificates or declined certificate requests.

All times are GMT -7. The time now is 11:24 PM.