Versions Compared

Old Version 1

changes.mady.by.user Ribbon Communications

Saved on

compared with

New Version Current

changes.mady.by.user Ribbon Communications

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Info
titleNote

The certificate replacement procedure may affect the service since you will need to replace the old certificate with the new one. New sessions are not established during the certificate replacement. The stable sessions are maintained.


Info
titleNote

Renewing the certificate (i.e., replacing the clientCertName and/or serverCertName in a tlsProfile) takes effect immediately. The SBC will use the new certificate for new TLS connections; however, the existing active TLS sessions will still use the old certificate.

A typical example of the SBC using the old certificate after renewing the certificate is a TLS connection containing an ipPeer with pathCheck enabled. The periodic SIP OPTIONS pings generated by the pathcheck task serve as a keep-alive maintain the active TLS session between the SBC and the remote peer. The SBC performs regular checks for expired certificates using the certExpiryCheck feature (Certificate Expiry Check - CLI). Once the certificate validity reaches its expiry date, the certExpiryCheck feature will detect it and tear down all TLS connections that use the expired certificate. The SBC then initiates a new TLS connection and uses the renewed certificate at the point of sending a new SIP message (including a pathcheck SIP OPTIONS ping) towards the peer.

In order to manually force the SBC to use the new certificate for TLS connections that are active at the point of the certificate renewal, you must disconnect and re-initiate the TLS connections. Currently, a manual node switchover (bouncing an ipInterface or bouncing the sipSigPort) are the only available means to forcibly disconnect the existing TLS sessions.

Local Certificates

  1. Generate the new local certificate by performing the steps used to generate the old certificate. Use the same Subject and SAN/CN details used in the old certificate and use the old certificate CSR file to generate the new certificate. To import the local certificates refer to PKI Security - CLI > Local-Internal Certificates.
  2. Sign the new local certificate by the same CA that was used to sign the old certificate with a prolonged validity.

  3. Import the new local certificate to SBC and enable it.

    Code Block
    set system security pki certificate <NEW PKI Certificate Name > fileName <p12 filename> type local passPhrase <passPhrase> state enabled


  4. Find all TLS profiles with the current local certificate.

  5. Schedule a maintenance window to replace the old certificate with the new certificate in all TLS profiles that use the old/expired certificate and delete the old certificate.

    Code Block
    set profiles security tlsProfile <Existing TLS Profile Name> serverCertName/clientCertName <NEW PKI Certificate Name>

set system security pki certificate < OLD PKI Certificate Name> state disable

delete system security pki certificate <OLD PKI Certificate Name>
commit


...