Certificates on Avaya Aura

Approaches for securing your Avaya Aura environment.

Every week I speak to one or two customers that ask the same questions – what do I need to do to deploy certificates in my environment and what is the best way to do that? Customers need to deploy certificates into their UC infrastructure to effectively secure communications. Avaya provides a certificate authority (CA) as part of System Manager. System Manager makes it easy for UC administrators to deploy certificates for Avaya products, but this is just one option and may not be ideal for all customers. Let’s look at several different deployment options, pros and cons, and conclude with the approach I suggest to customers.

But First – Remember what a CA does
A certificate authority issues certificates to allow systems to validate the identify of the server they are connecting to – that simple! It is not to say that the process can become complex, but one system will trust another system based on the certificate it presents. The certificate is always signed. The notion here is that if you trust the signer of the certificate, then you can trust the certificate. For example, a passport is a certificate. Any border agent will trust the certificate not because it has your name and picture on it, but rather that it is signed by the government. Also – just like computer certificates, there is digital encryption to back up the signature to insure it is not counterfeit.

Using System Manager as your CA
Avaya provides a CA as part of System Manager. This allows UC administrators to be nimble in assigning and renewing certificates for their environment without the need to go to others in their organization or to an external certificate authority.

• Pros
• Works out of box.
• Automatically issues and deploys certificates for managed systems such as Session Manage and Breeze!
• Aura environment stands alone and does not require any other system.
• No additional costs and the certificates are free.
  
• Cons
• Public Key Infrastructure (PKI) PKI is independent of other PKI.
• No enterprise branding.
• Must distribute System Manager root certificate to endpoints and systems.
• Your I/T or Security department may not trust System Manager, or your Telcom administrators with the task of generating certificates. They also may not allow the use of a CA not under their control.
  

• Pros
• Provide enterprise asserted trust.
• Certificates may already be distributed to client devices. For example – computer on a Windows domain will trust certificates generate by the domain CA
• Relatively straight forward deployment.
  
• Cons
• Must manually establish PKI trust chain to Aura managed devices.
• Must create Certificate signing request and import identity certificates.
• No automatic issue or re-issue of certificates for managed devices.
• Usually need to work with an external group to issue certificates which can cause delay or errors in certificate creation.

Using a private or public certificate authority.
Your company may run a certificate authority, or may mandate that you use a public certificate authority – like Verisign or GoDaddy.

Distributing certificates