replacing certificates on 3300 MCD

[iggypops]

Hi,
I noticed IE and FF have many problems now when accessing MCD servers we have with FF for instance reporting "Secure Connection Failed - SEC_ERROR_REUSED_ISSUER_AND_SERIAL" and Chrome reports "net::ERR_CERT_AUTHORITY_INVALID"
Certificates presented by MCD servers have ssuer CN=Mitel Networks ICP CA

I want to replace certs with standard web server certs signed by StartSSL.
Would it be a problem if I replace all MCD certificates with a standard web server cert with Key Usage (Digital Signature, Key Encipherment)?
Or do Mitel MCD components require Issuer to be "Mitel Networks ICP CA" for whatever reason?

[acejavelin]

Hi,
I noticed IE and FF have many problems now when accessing MCD servers we have with FF for instance reporting "Secure Connection Failed - SEC_ERROR_REUSED_ISSUER_AND_SERIAL" and Chrome reports "net::ERR_CERT_AUTHORITY_INVALID"
Certificates presented by MCD servers have ssuer CN=Mitel Networks ICP CA

I want to replace certs with standard web server certs signed by StartSSL.
Would it be a problem if I replace all MCD certificates with a standard web server cert with Key Usage (Digital Signature, Key Encipherment)?
Or do Mitel MCD components require Issuer to be "Mitel Networks ICP CA" for whatever reason?

Only IE and FireFox work, Chrome is not supported... Have you imported the Mitel Root Certificate? (look at bottom right of logon page)

I don't know if it is even possible (normally) to replace the SSL cert in MCD.

[iggypops]

Thanks acejavelin, the ERR_CERT_AUTHORITY_INVALID on certificate presented by MCDs indicates that it is not in the Trusted Root Certification Authorities store on windows machine I am viewing it from. I can see the "Mitel Networks Root CA" in certificate chain is on the top of the chain and is not signed by any public CA. So it seems then we have to deploy " Mitel Networks Root CA" on all machines that need access to MCD servers.

[iboyd]

As a rule right now I don't install any Mitel Certificates, I just add the exception into FF.  How ever I do have 17 different Mitel Servers that don't talk to each other, so it is to crazy to attempt to get their various certificates under control.  Is there any need for it now?

[acejavelin]

Thanks acejavelin, the ERR_CERT_AUTHORITY_INVALID on certificate presented by MCDs indicates that it is not in the Trusted Root Certification Authorities store on windows machine I am viewing it from. I can see the "Mitel Networks Root CA" in certificate chain is on the top of the chain and is not signed by any public CA. So it seems then we have to deploy " Mitel Networks Root CA" on all machines that need access to MCD servers.

Yes, this is what we do.

As a rule right now I don't install any Mitel Certificates, I just add the exception into FF.  How ever I do have 17 different Mitel Servers that don't talk to each other, so it is to crazy to attempt to get their various certificates under control.  Is there any need for it now?

If you install the Mitel Root Certificate, it applies to all systems.

[iboyd]

[/size][size=0px]If you install the Mitel Root Certificate, it applies to all systems.[/size][/size]

I tried that once, and then went to Mitel #2 and it balked at me.  Do all MCD's need to be at the same level?


-Ian

[johnp]

I think the ability to upload a certificate was added recently

[eugenej]

I think the ability to upload a certificate was added recently

Indeed it has. I have it on my system.