How to update CA root certificates
Last updated July, 2022
This article contains quick reference notes for updating the current self-signed Mindful SIP proxy TLS (intermediate root) certificates to use the new CA root certificates. For each platform listed below, configuration can be updated before the new certificates are required, so there should be no impact to regular operations.
Obtaining new certificates
The new CA root and intermediate certificates can be downloaded at https://www.entrust.com/resources/certificate-solutions/tools/root-certificate-downloads.
In the Entrust Root Certification Authority (G2) column, download the Root certificate and the (Non‐EV SSL) CA - L1K certificate.
Scroll down or use the links in the sidebar to find instructions for your ACD or SBC.
Avaya SBCE
The Avaya SBCE integration guide covers the process of importing the Mindful Callback self-signed certificate and setting up a Client Profile. In the Client Profile, the Mindful self-signed CA certificate is assigned as a Peer Certificate Authority. The new CA certificate should be imported in the same way and the existing Client Profile edited to add the new CA certificate as a Peer Certificate Authority.
Once the Mindful Callback TLS certificates have been changed, the old self-signed certificate can be removed from the Client Profile and the list of CA certificates. As long as the same Client Profile is used, SBCE will be unaffected by the change in certificates on the Mindful Callback SIP proxies.
Audiocodes Mediant SBC
Additional CA certificates can be added into the same TLS Context profile as the existing Mindful self-signed certificate, and both can be trusted during the changeover period.
After the changeover period, the Mindful self-signed certificates can be removed from the TLS Context. As long as the same TLS context is used, the SBC will be unaffected by the change in certificates on the Mindful Callback SIP proxies.
CISCO (CUBE)
The Mindful and Cisco CUBE integration guide covers the creation of a Trustpoint and import of the Mindful self-signed CA certificate. Exactly the same process can be followed to create a new Trustpoint and import the new CA root/intermediate certificate.
Once the Mindful Callback TLS certificates have been changed, the old Trustpoint containing the Mindful self-signed certificate can be removed. Trustpoints are not assigned to Dial Peers, so the CUBE will match the correct Trustpoint/certificate with the certificate provided by Mindful Callback without needing to change any other configuration.
Oracle Enterprise SBC
The new CA intermediate/root certificate should be imported as a Certificate Record. Next, the new certificate record can be added as a Trusted CA Certificate to the existing TLS profile (the one containing the Mindful self-signed certificate added as a trusted certificate).
Once the new Mindful Callback TLS certificates signed by the new CA are in place, the self-signed certificate record can be removed from the Oracle SBC configuration. As long as the same TLS profile is used, the SBC will be unaffected by the change in certificates on the Mindful Callback SIP proxies.
Genesys Cloud CX
Genesys Cloud CX officially supports the Entrust certificates used by Mindful.
Twilio
Twilio does not perform any certificate validation when using TLS with Mindful Callback. In our experience, it works out of the box against the Mindful Callback self-signed certificates, so no change is anticipated in Twilio configuration.