Table of Contents
Preparation
It is that time of the year when you need to renew the wildcard SSL certificates used in your AudioCodes estate. You have been here before or it could be your first time – taking over administration of the devices from an engineer who has perhaps left your organisation. This should be easy – you have requested and installed certificates numerous times. Take a backup of the configuration file
- Take a back up of the OVOC appliance and the SBCs
You never know right? Taking a backup of the configuration file may not be necessary, but it is only going to take an extra minute.
Log into the SBC web admin portal
Click on Actions > Configuration File
This loads up the Configuration File page. In the INI File section, click the Save INI File button to save the configuration file for the appliance.
- Generate your Certificate Signing Request
What you must NOT do is to generate the CSR from the SBC or OVOC if you plan on using a wildcard certificate for these devices.
Do NOT go to SETUP > IP NETWORK > SECURITY > TLS Contexts > Change Certificates
Rather, use the DigiCert Certificate Utility for Windows or some other tool to do this.
- Submit CSR to your Certificate Authority
- Download your issued certificates
Your certificate files could include (depending on your download selection) .crt, .cer, or .pem files.
- Import downloaded certificates into DigiCert utility
Next, you export the certificate by clicking the Export Certificate button in the tool.
- Copy exported certificate with private key into the /home/acems/server_certs/ directory in OVOC
- If this directory does not exist, you may need to create it by issuing the following command: mkdir /home/acems/server_certs chmod 777 /home/acems/server_certs
- Install the certificate following these steps
- SSH into the OVOC appliance and once signed in su to root.
- Type EmsServerManager to load the OVOC Server Management menu
Installation of the wildcard SSL certificate in OVOC
Unlike the SBCs, the certificate installation in OVOC needs to be accomplished by SSH.
This brings you into the Security menu, select option 11: Server Certificate Updates
Select option 3: Import Server Certificates from Certificate Authority (CA)
Then this happened.
A quick recap of everything we have done so far.
- Generated CSR using DigiCertUtil.exe
- Submitted CSR to CA
- Downloaded certificates from CA
- Imported certificate into DigiCertUtil.exe
- Exported the certificate with the private key
- Ensured the certificate files followed the correct naming convention
- Imported the certificate files into the OVOC appliance using WinSCP
- Ensured they were uploaded into the correct directory
- Attempted to import the certificate using putty
- Error
I ran through all of AudioCodes documentation, it all checked out. Their documentation when it was correct was based on the assumption that the csr was generated from OVOC which is possible but would be useless in a wildcard certificate scenario.
The error above referred to a “SEM PKCS#12 file” which failed to be generated.
I decided to use openssl to remedy the situation.
My attempts to create a PKCS#12 file from the crt file whilst successful, were not recognised by OVOC. Other things I did at this point included raising a support ticket with AudioCodes and got their engineers and their R&D team involved. Well, they all agreed that I should not have used DigiCert to generate the CSR because as one of them put it “how will the certificate know of the private key”, the support engineer went a step further and said I ought to follow the documentation which after we all reviewed it together saw that it was lacking in detail.
We also checked the crt files downloaded from the CA to ensure they were OK. The DigiCert Utility has a feature to test private keys and it all came back as passed when I ran the test.
We also had a look at the contents of the crt files comparing the intermediate and root certificates. All checked out OK.
By this time I had spent a good few hours on this supposedly bog-standard change. The saving grace was the fact that the SBCs were not affected, so no immediate discernible service outage that could impact users.
I took some time off the case, went weeding. A few hours later, myself and a colleague decided to go through everything again, and I spotted an option in DigiCertUtil.exe that I had used previously to download a certificate file but forgot about this in the “fog of war.”
After exporting the key file, I cleared out (again) the files in the OVOC directory via WinSCP, and replaced them with the appropriate files including the newly exported key file.
I ran through the installation steps again from EmsServerManager in the putty session in OVOC and this time around got this:
That was it. OVOC became responsive, all alarms cleared and I could go back to my plot.
