Security CertificatesAn Introduction

David Lover Vice President Strategy and Technology

2

Why do you need to understand Digital Certificates

Introduction to PKI – Public Key Infrastructure

What is a Security Certificate?

What is a Certificate Authority?

Avaya’s use of Security Certificates

High-level deployment tasks

Specific example of deploying certificates

Introduction to Security Certificates

3

Need for Understanding Digital Certificates

X509 Digital Certificates represent the identity and privacy “keys” in TLS based

communication

SSL 2.0 -> SSL 3.0 ->TLS 1.0 -> TLS 1.1-> TLS 1.2 ->TLS 1.3 (Draft)

Avaya has been allowing customers to use their “Demo” Security Certs.

They began phasing that out in Aura R6 due to the older cipher strength (1024

bits versus 2048 bits) and lack of “uniqueness”.

“Demo” certs are no longer installed by default (but are kept during an upgrade)

Customers must adopt and maintain a certificate strategy for their Aura system

4

Sample TLS Message Flow

5

TLS Security Certificates – Identity Certificate

• A Security Certificate provides a mechanism to provide identity and

encryption

• A Security Certificate must be signed by a “trusted” Certificate Authority

• X509 allows for various scopes of “Trust” through the use of Root Certificate

Authority (CA) certs

• Commercial (sometimes called 3rd Party Certs)

• Enterprise

6

Certificate Authority (often referred to as the CA)

• Verifies the identity. The CA must validate the identity of the entity who

requested a digital certificate.

• Issues digital certificates. If the validation process succeeds, the CA issues the

digital certificate to the entity that requested it.

• Maintains the Certificate Revocation List (CRL). A CRL is a list of digital

certificates that are no longer valid and have been revoked. These digital

certificates are not reliable.

7

Signing a Security Certificate

• Avaya Elements that depend on System Manager for their trust management

(ie Session Manager) this is done via System Manager

• If Element supports CSR, use the tools provided in that element to create a

CSR, transfer the file to the Certificate Authority for signing, install the signed

certificate on the element (PEM or PKCS#12)

• If the Element doesn’t support CSR, then create a cert directly within the

Certificate Authority. This signed cert will be in a PKCS#12 format, containing

the Private Key to be used by the element.

8

Certificate Authorities

9

Migration Strategy

• Identify overall Certificate Authority strategy (Public CA, Enterprise CA, SMGR

CA, Hybrid)

• Inventory infrastructure to determine which Certs need to be upgraded and

who will need a copy of its Root CA Certificates

• Create new Identity Certs (via CSR, when available).

• Obtain and Deploy the Root CA’s associated with the new Identity Certs

• Install new Identity Certs and Test Functionality

• Remove old Root CA’s

10

Migration Strategy

• Identify overall Certificate Authority strategy (Public CA, Enterprise CA,

SMGR CA, Hybrid)

• Inventory infrastructure to determine which Certs need to be upgraded and

who will need a copy of its Root CA Certificates

• Obtain and Deploy the Root CA’s associated with the new Identity Certs

• Install new Identity Certs and Test Functionality

• Remove old Root CA’s

11

TLS Security Certificate Strategies

Continue using weak “Demo” certs

Use your existing Enterprise Root Certificate Authority

Use System Manager as the Enterprise Root Certificate Authority

Use System Manager as an Intermediate CA of your Enterprise Root

Certificate Authority

Use Commercial Root CA’s (Thawte, Verisign, etc)

Use a combination of the above strategies

12

TLS Security Certificates Continue using Avaya “Demo” certs

Advantages

Easiest option. Most Avaya products still support it.

Some are “hard coded” to trust it.

Extended expiration date

Disadvantage

Non-unique

Weak Cipher strength

Do not meet current NIST standards

Avaya will NOT be renewing these certs. Once they

expire, they are dead forever.

13

TLS Security CertificatesUse your Existing Enterprise CA

Advantages

Root CA certs tend to already be deployed to enterprise

clients and pc’s.

Can have a longer expiration

Lets your enterprise manage acquisition of certs for you.

Disadvantage

By default, no one outside of your enterprise will trust

these certs

Lose the benefit of “automatic” cert acquisition from

“enrolling” with System Manager

Requires coordination with your Enterprise Certificate

team

14

TLS Security CertificatesUse System Manager as the Enterprise Root CA

Advantages

Allows easier acquisition of Root CA certs upon

installation by “enrolling” with System Manager

Let’s you be independent of external departments

Disadvantage

Root CA certs not deployed to enterprise users by

default

Root CA certs not deployed to public users by default

Multiple Certificate Authority Servers to Manage and

keep track of

15

TLS Security CertificatesUse System Manager as an Intermediate CA

Advantages

Allows easier acquisition of Root CA certs upon

installation by “enrolling” with System Manager

Let’s you be independent of external departments

Let’s existing Enterprise Root CA’s trust System

Manager signed certs

Disadvantage

Root CA certs not deployed to public users by default

Need to get buy-in from existing Enterprise CA owners

to become a delegate

Some devices expect to see the full trust chain.

16

TLS Security CertificatesUse 3rd Party Commercial CA

Advantages

Most devices and operating systems come preloaded

with the common, well known CA Root Certificates

Disadvantage

Short Expirations (1-2 years typical)

Can be Expensive

Lose the benefit of “automatic” cert acquisition from

“enrolling” with System Manager

Not all CA’s support the requirements of certain Avaya

servers

17

Migration Strategy

• Identify overall Certificate Authority strategy (Public CA, Enterprise CA, SMGR

CA, Hybrid)

• Inventory infrastructure to determine which Certs need to be upgraded

and who will need a copy of its Root CA Certificates

• Obtain and Deploy the Root CA’s associated with the new Identity Certs

• Install new Identity Certs and Test Functionality

• Remove old Root CA’s

18

TLS Security Certificates – Inventory

19

TLS Security Certificates – Inventory

20

TLS Security Certificates – Inventory

21

Migration Strategy

• Identify overall Certificate Authority strategy (Public CA, Enterprise CA, SMGR

CA, Hybrid)

• Inventory infrastructure to determine which Certs need to be upgraded and

who will need a copy of its Root CA Certificates

• Obtain and Deploy the Root CA’s associated with the new Identity Certs

• Install new Identity Certs and Test Functionality

• Remove old Root CA’s

22

Migration Strategy

• Identify overall Certificate Authority strategy (Public CA, Enterprise CA, SMGR

CA, Hybrid)

• Inventory infrastructure to determine which Certs need to be upgraded and

who will need a copy of its Root CA Certificates

• Obtain and Deploy the Root CA’s associated with the new Identity Certs

• Install new Identity Certs and Test Functionality

• Remove old Root CA’s

23

Obtain New Root CA Cert

24

Obtain New Root CA Cert

25

Deploy New Root CA Cert – Communication Manager

26

Deploy New Root CA Cert – Communication Manager

27

Deploy New Root CA Cert – Communication Manager

Communication Manager

requires a restart for it to use

the new Root CA Trust Cert

28

Deployment of New Root CA Cert

• Avaya hard phones get their TLS

settings from the 46xxsettings.txt file

• Keep the existing CA for now. You

should remove it once you’ve tested

with new Identity Cert

• Phones must be rebooted to re-

process the 46xxsettings.txt file

29

Migration Strategy

• Identify overall Certificate Authority strategy (Public CA, Enterprise CA, SMGR

CA, Hybrid)

• Inventory infrastructure to determine which Certs need to be upgraded and

who will need a copy of its Root CA Certificates

• Create new Identity Certs (via CSR, when available).

• Obtain and Deploy the Root CA’s associated with the new Identity Certs

• Install new Identity Certs and Test Functionality

• Remove old Root CA’s

30

Replace Identity Certs

31

Replace Identity Certs – Security Module SIP

32

Replace Identity Certs - Security Module SIP

33

Replace Identity Certs - HTTPS

34

Check the Compliance Status

35

Migration Strategy

• Identify overall Certificate Authority strategy (Public CA, Enterprise CA, SMGR

CA, Hybrid)

• Inventory infrastructure to determine which Certs need to be upgraded and

who will need a copy of its Root CA Certificates

• Create new Identity Certs (via CSR, when available).

• Obtain and Deploy the Root CA’s associated with the new Identity Certs

• Install new Identity Certs and Test Functionality

• Remove old Root CA’s

36

Migration Strategy - Remove Old Root CA’s

• Be VERY careful

when doing this.

Make sure there are

no remaining

identity certs signed

by the old CA.

• CM must be

restarted

37

Migration Strategy - Remove Old Root CA’s

• Be VERY careful

when doing this.

Make sure there are

no remaining

identity certs signed

by the old CA.

• Phones must be

rebooted

38

Why do you need to understand Digital Certificates

Introduction to PKI – Public Key Infrastructure

What is a Security Certificate?

What is a Certificate Authority?

Avaya’s use of Security Certificates

High-level deployment tasks

Specific example of deploying certificates

Introduction to Security Certificates

Security CertificatesAn Introduction