Transport Layer Security Certificate Update Procedure

Asset ID:	1-71-1598288.1
Update Date:	2017-05-09
Keywords:

Solution Type Technical Instruction Sure

Solution 1598288.1 : Transport Layer Security Certificate Update Procedure

Applies to:

Acme Packet 4500 - Version All Versions and later
Net-Net 3810 - Version All Versions and later
Acme Packet 3820 - Version All Versions and later
Acme Packet OS

Goal

Transport Layer Security (TLS) certificate update procedure.

Solution

Below is a 3 phase procedure to update a certificate. Generating a certificate:

I. Create a new end entity Certificate for the Session Director (SD).

1a. Verify which SD is the Active SD with health score 100 by typing: show health.

1b. Verify the current and running configuration versions are the same on both Active and Standby SD. Issue the command display-current-cfg-version followed by display-runningcfg- version on both Active and Standby to verify the version numbers.

2. Open a log session to capture all console output from both SDs.

3. On the Active SD, go to the configure terminal mode -> security -> certificate-record

4. Create a new certificate record with an appropriate common-name parameter.

5. Exit all the way out back out of configure mode to the superuser command prompt

6. Issue a save-config followed by activate-config command.

7. Verify that the current and running configuration versions are the same on both Active and Standby SD. Issue the command display-current-cfg-version followed by display-running-cfgversion on both Active and Standby to verify the version numbers.

8. On the Active SD, issue a generate-certificate-request <new certificate-record-name>

9. The system will warn the user that the configuration has been changed and a save-config is required.

10. Issue a save-config followed by activate-config command.

11. Verify that the current and running configuration versions are the same on both Active and Standby SD. Issue the command display-current-cfg-version followed by display-running-cfgversion on both Active and Standby to verify the version numbers.

12. Submit the output from Step 8 (i.e. a certificate signing request) to a Certificate Authority (i.e. OpenSSL) and obtain the corresponding certificate.

13. Import the certificate obtained from the Certificate Authority by issuing the command importcertificate try-all < new certificate-record-name>. After pasting the output terminate the certificate with a semi-colon “;” in order to exit entry mode.

14. The system will report the import being successful by printing “Certificate imported successfully....” at the command output.

15. The system will warn the user that the configuration has been changed and a save-config is required.

16. Issue a save-config followed by activate-config command.

17. Verify that the current and running configuration versions are the same on both Active and Standby SD. Issue the command display-current-cfg-version followed by display-running-cfgversion on both Active and Standby to verify the version numbers.

II. Activating the new end-entity certificate on the SD

1. On the Active SD, verify the currently established TLS connections by issuing the command show ip connections:

2. Verify the tls-profile is configured for the intended sip-interface by issuing the command show run sip-interface <sip-interface-name>

3. Verify the end-entity certificate configured for the tls-profile obtained in section 2 step 1 by issuing the command show run tls-profile <tls-profile-name>

4. On the Active SD: a. Enter the configure terminal mode and go to “configure terminal -> security -> tls-profile” b. Issue a “select” to select the tls-profile name from section 2 step 3. c. Change the “end-entity-certificate” to the new certificate created in section 1 step 4 and issue a “done” command.

5. Exit all the way out of configure mode back to the superuser command prompt

6. Issue a save-config followed by activate-config command.

8. Verify the new certificate is in place by issuing show run tls-profile

9. The new certificate on the SD has been activated. The SD will present this new certificate only when it initiates a new TLS connection. All the old TLS connections will still remain established until terminated by the endpoint or SD due to inactivity.

10. Verify the old TLS connections are still up by issuing the command show ip connections and checking the IP address:port is the same as in section 2 step 1.

11. Verify that call processing and registrations are normal on the Active SD. a. Type: show sip invite b. Type: show sessions c. Type: show registrations

III. Deleting the old certificate-record

1. Since the certificate is only needed at the time of negotiating and establishing the TLS connection, all the established TLS connections stay connected even after the old certificate is deleted. All new TLS connections utilize the newly activated certificate. Therefore it’s safe to delete the old certificate-record from the SD. a. Go to “configure terminal -> security -> certificate-record”. b. Issue a “no” and then the index number of the certificate-record to be deleted.

2. Exit all the way out of configure mode back to the superuser command prompt

3. Issue a save-config followed by activate-config command

4. Verify that the current and running configuration versions are the same on both Active and Standby SD. Issue the command display-current-cfg-version followed by display-running-cfgversion on both Active and Standby to verify the version numbers.

5. Verify the old TLS connections are still up by issuing the command show ip connections and checking the IP address:port is the same as in section 2 step 1.

6. Verify that call processing and registrations are normal on the Active SD by repeating section 2 step 10. a. Type: show sip invite b. Type: show sessions c. Type: show registrations

Attachments

This solution has no attachment