Plantronics + Polycom. Now together as Poly Logo

the certificate cma self-signed certificate will expire February 2019

Frequent Advisor

Re: the certificate cma self-signed certificate will expire February 2019

Hello Stefen,

 

Thank you for you response.

 

Because it is not clear enough from the documentaion what is the procedure to update the expiring self signed certificate, as a matter of fact it is not even mentioned such a procedure, I am focusing to using a public ca certificate.

 

The documentation doesn't mention what specifications must the certificate follow.

Should the rsa key be 1024 or 2048, does it use rsa or dh, tha sha encryption must be only sha1.

 

Can you share the full specs of the certificates needed cause I don't want to buy one that the CMA won't accept.

Message 11 of 80
Polycom Employee

Re: the certificate cma self-signed certificate will expire February 2019

The CMA takes a certificate with an sha1RSA signature algorithm and an RSA 1024 bit public key.

 

 

Michael K. Bromley, CVE, CCENT, WCNA, VCA-DCV
Technical Lead
Infrastructure Technical Support Center
Message 12 of 80
Frequent Advisor

Re: the certificate cma self-signed certificate will expire February 2019

Hello Mike,

 

Thank you very much for your response.

One final question in page 446 it is mentioned the following

 

Participation in a Public Key Infrastructure requires a CMA system to have
been configured with at least one root CA certificate, a current certificate
revocation list (CRL) from the CA, and a digital certificate signed by the CA
that identifies the CMA system.

Does this mean I must have three files? The root CA certificate, the CRL and the digital certificate or the root CA certificate is the digital certificate?

 

Thank you again for your time.

Message 13 of 80
Polycom Employee

Re: the certificate cma self-signed certificate will expire February 2019

If you are planning on putting a third party certificate on the CMA you will have at least 2 files; the host certificate and a CA (certificate authority) certificate. You may have more than one CA certificate. Some certificate vendors will supply one or more intermediate CA certificates and a root CA certificate. If you are getting your host certificate from a local CA within your domain you will most likely not have any intermediate CA certificates.

 

Certificate Revocation Lists (CRLs) are optional. Some Certificate Authorities provide for them and some do not.

 

 

Michael K. Bromley, CVE, CCENT, WCNA, VCA-DCV
Technical Lead
Infrastructure Technical Support Center
Message 14 of 80
Frequent Advisor

Re: the certificate cma self-signed certificate will expire February 2019

Hello Mike,

 

As you seem that you have deeper knowledge on the matter, does the CMA officially support re-issuning a self signed certificate? Can I consider it as a solution?

 

I am asking because in the CMA operational manual, a procedure to install a CA certificate is described but nothing how to renew the self signed one.

Steffen mentioned that you can do it with an IIS but I am afraid uploading one with the same characteristics might not even be recognised from the system because the system expects only a third party CA certificate and not a self signed.

 

Finally from your experience, what happens if the certificate expires without replacing it or renewing it? The installation that I manage has one RMX system included and many vsx/hdx units.

Will everything stops functioning or I will lose only the web interface of the system? Does the RMX still functions?

 

Thank you for your time and effort.

 

 

Message 15 of 80
Polycom Employee

Re: the certificate cma self-signed certificate will expire February 2019

Certificates do 2 things; they establish trust that the server you are connected to is really the one you wanted to connect to and they provide the keys necessary to encypt the traffic. 

 

Self-signed certificates are never considered trusted. The trust is established when the certificate is issued by a trusted certificate authority. But they will still encrypt the traffic. An expired certificate, self-signed or third party, will still encrypt traffic after the expiration date. An expired certificate is also not considered trusted. You will get a notice/error in your browser the the connection isn't secure but that's based on the trust issue. The data is still encrypted. I don't see any reason for the system to just stop working because the certificate has expired but that's just my opinion.

 

If your local domain issues certificates then they can be installed on the CMA. I do that here in my lab for all of our infrastructure. But there is no way to locally regenerate a CMA self-signed certificate. The CMA doesn't use IIS. It uses Apache. The self-signed certificate issued with the CMA was generated outside the system and supplied with the software. There is no facility on the CMA server itself to regenerate the certificate.

 

 

Michael K. Bromley, CVE, CCENT, WCNA, VCA-DCV
Technical Lead
Infrastructure Technical Support Center
Message 16 of 80
Frequent Advisor

Re: the certificate cma self-signed certificate will expire February 2019

Hello Mike,

 

Thank you again for your explanation.

 

You mention

 


@MikeB wrote:

The self-signed certificate issued with the CMA was generated outside the system and supplied with the software. There is no facility on the CMA server itself to regenerate the certificate.


I was thinking the same, to re-generate a self-signed certificate outside of the system (e.g. on a Centos server with openssl) and then import it through the web interface of the CMA. Do you think that this will work?

 

If not then from what you have written, my only valid option is to import a signed certificate from a CA (local or external). 

 

Thank you again for your time and effort.

Message 17 of 80
Polycom Employee

Re: the certificate cma self-signed certificate will expire February 2019

I don't see any reason why generating a certificate using openssl on a CentOS server wouldn't work. I generate mine using the certificate services on my WIndows domain controller but that's just because it's easier. You would still need to create a certificate signing request (CSR) on the CMA server or the private keys won't match. Technically, if you generate a certificate with openssl it wouldn't be a self-signed certificate but it should still work.

 

 

Michael K. Bromley, CVE, CCENT, WCNA, VCA-DCV
Technical Lead
Infrastructure Technical Support Center
Message 18 of 80
Occasional Visitor

Re: the certificate cma self-signed certificate will expire February 2019

I'm also experiencing the same system alert for CMA 5000, please help!
Message 19 of 80
Highlighted
Polycom Employee

Re: the certificate cma self-signed certificate will expire February 2019

Other then what's already been posted in this thread I'm afraid I can't provide any more assistance. The CMA platform is over 10 years old and has been in an End of Service status since 2015-06-01.

 

At this point your options are:

1) Ignore the alert

2) Install a local domain certificate

3) Install a 3rd party certificate.

 

 

Michael K. Bromley, CVE, CCENT, WCNA, VCA-DCV
Technical Lead
Infrastructure Technical Support Center
Message 20 of 80