In this section:



 

The Public Key Infrastructure (PKI) provides a common set of infrastructure features supporting public key and certificate-based authentication based on the RSA public/private key pairs and X.509 digital certificates.

Certificate Types

Local-Internal Certificates

In previous SBC versions, the RSA key pairs and Certificate Signing Request (CSR) for SBC platforms were generated on an external workstation. The CSR was then submitted to a Certificate Authority, and the resulting certificate was received back from the CA, copied onto the workstation, and combined with the private key in a PKCS#12 file, which was used to install the key pair and certificate onto the SBC.

The SBC application can now generate and install RSA key pairs and generate Certificate Signing Request (CSR) on the SBC system itself. The certificate request is sent to a CA, and the issued certificate is then installed on the SBC. The local-internal certificate option simplifies the certificates and keys managing process and also provides more security since the private key never leaves the SBC. For steps to configure local-internal certificates, see Generating PKI Certificates.

Certificate file format: PEM

Local Certificates

Local certificates are credentials belonging to the local system, which it presents to peers to prove their identity. You must upload local certificate files to the system before installing the certificates. For Cloud SBC platforms, you must upload the local certificate files to active and standby nodes.

Certificate file format: PKCS#12 containing both the local SBC certificate and corresponding private key, or the local certificate and corresponding private key in PEM or DER format.

Remote Certificates

Remote certificates are credentials belonging to Certificate Authorities (CA). The copies of these certificates are installed in the SBC because they are either part of a chain of certificates the local system will present to peers, or because the corresponding CAs are trust anchors for the local system. You should also install certificates belonging to non-CA remote systems as trust anchors in this manner. You must upload remote certificate files in DER format to the system before installing the remote certificates. For Cloud SBC platforms, you must upload the remote certificate files to active and standby nodes.

The Certificate Authority (CA) certificates and trusted remote certificates contain public key certificates; they do not contain the private keys. The CA certificates and remote certificates are Distinguished Encoding Rules (DER) format files, a method for encoding a data object (such as an X.509 certificate) that uses a digital signature to bind together a public key with an identity.

Certificate file format: DER


Note

The SBC supports a maximum of 4,096 TLS certificates/CAs (both local and remote).

The SBC allows importing of a single certificate in a single file only. If a CA provides a .p12 or a .pfx certificate bundle with multiple CA certificates in it, extract the certificates from the bundle, store them in separate files, and import them separately.

Note

The DER content of the certificate being installed must be under 6400 Bytes.


Managing Certificates

To Create a Certificate

Perform the following steps to create a new Certificate.

  1. Click New Certificate tab on the Certificate List panel.

    The Create New Certificate window displays.

  2. Complete the fields using the table below for guidance.

    Parameter

    Length/Range

    Description

    Name

    Up to 23 characters

    Specifies the name of the certificate.

    State

    N/A

    Enable this flag to use the certificate once it has been installed. 

    • Disabled (default) – Prohibits the PKI certificate from being used by the SBC for authenticating remote peers (when this is a remote certificate) OR presenting its own identity (in case of a local or local-internal certificate).
    • Enabled – Certificate is usable by the SBC for authentication purposes.

    File Name

    Up to 255 characters

    Enter the name of the file that contains the certificate.

    Supported file formats:

    • Local-Internal: PEM
    • Local: PKCS#12, PEM, DER
    • Remote: DER, PEM

    Key File Name

    Up to 255 characters

    The name of the file containing the private key in DER/PEM format.

    Leave this field empty if importing a PKCS#12 file.

    Pass Phrase

    Up to 23 characters

    Specifies either the pass-phrase to decrypt the RSA private key in the PKCS#12 file or the pass-phrase to decrypt the encrypted private key in the "Key File Name," depending upon the file (PKCS#12, PEM) you import.

    Type

    N/A

    Choose the type of certificate from the drop-down list.

    • Local-internal – Certificate belongs to (has as its subject) the local system itself; the key pair and CSR were generated on this machine.
    • Local – Certificate belongs to (has as its subject) the local system itself; the key pair and CSR were generated elsewhere
    • Remote – Certificate belongs to (has as its subject) a remote entity such as a CA or a peer device.
  3. Click Save to save your changes.

To View a Certificate

On the SBC main screen, go to Configuration > Security Configuration > PKI > Certificate.

The Certificate window displays.

To Edit a Certificate

Perform the following steps to edit a Certificate in the list.

  1. Click on the specific Certificate name. 

  2. Observe the Edit Selected Certificate window displays.

  3. Make the necessary changes, and click Save to save your changes.

To Copy a Certificate

Perform the following steps to copy a created Certificate, and to make any minor changes.

  1. Click the radio button next to the specific Certificate to highlight the row.

  2. Click Copy Certificate tab on the Certificate List panel.
    The Copy Selected Certificate window displays, along with the editable fields.

  3. Make the required changes to the required fields, and click Save to save the changes.
    The copied Certificate displays at the bottom of the original Certificate in the Certificate List panel.

To Delete a Certificate

Perform the following steps to delete a Certificate.

  1. Click the radio button next to the specific Certificate which you want to delete.

  2. Click Delete at the end of the highlighted row.

    A delete confirmation message appears seeking your decision.

  3. Click Yes to remove the specific Certificate from the list.

Certificate Commands

Click the radio button next to the specific Certificate to highlight the row.

The Certificate Command window displays at the bottom of the screen.

Command options:

  • Use the Generate CSR keyword to generate the CSR and display it on the screen.
  • Use the Import Cert keyword to import signed certificate.
  • To view the complete content of the certificate, use the Retrieve Cert Content command.

Generate CSR Command

When you select the certificate command Generate CSR, and click Select, the following dialog displays:

SAN Support


Note

The SBC does not support Lync/Skype.


The Subjective Alternative Name (SAN) is an X509 version 3 extension that allows an SSL certificate to specify multiple names that the certificate should match. This allows you to secure a large number of domains with only one certificate. Even when SAN contains eMail addresses, IP Addresses, Regular DNS Host Name, and so on, SBC now supports only DNS Host Name.

To continue, select "Key Size", enter "Csr Sub" name and click generateCSR. The Certificate Signing Request (CSR) is generated similar to the example below:

Click OK to exit.

Import Cert Command

When you select the certificate command Import Cert, and click Select the following dialog displays:

Note

You can cut-and-paste the returned certificate content from Certificate Authority (CA) in the certContent field on the pop-up window and click importCert to complete the task.

To continue, enter "Cert Content" description and click importCert.

Once the certificate is successfully imported, return to the Certificate screen and change State to "enabled" to enable the certificate.

The following table lists the certificate parameters:

Parameter

Description

Csr Subscription

<csr subject name> – The name of the CSR subject using the following format.

NOTE: You must specify at least one of the following keys in the csr subject name

/C=<xx>/ST=<xx>/L=<string>/O=<string>/CN=<string>

Where:

  • C = 2-digit country abbreviation
  • ST = 2-digit state or province abbreviation
  • L = Locality name
  • O = Organization name
  • CN = Common Name

Example:

/C=US/ST=MA/L=Westford/O=Example Inc./CN=www.example.com

Key Size 

The size, in bits, of the key pair to generate the private key.

  • Key Size1k – 1024 bits

  • Key Size2k – 2048 bits

  • Key Size4k (default) – 4096 bits
  • Key Size Ec Dsa Secp521rl
Subject Alternative Dns Name

Specifies the names of the alternative DNS subjects. Multiple alternative names can be specified using "," (comma) as a separator.

(Supports up to 4096 characters)

For example:

"nj.example.com, in.example.com, uk.example.com, ca.example.com, tx.example.com"

Retrieve Cert Content

The Retrieve Cert Content command extracts the complete certificate information including the serial number and the validity period.

  1. On the Certificate Commands window, select Retrieve Cert Content command.

    Note

    You cannot view the Private Key in the retrieved certificate content.

    The following window displays:

  2. Click retrieveCertContent to proceed and to view the complete information of the certificate.

    The Message window displays, providing all the information of the certificate.

    Note

    This certificate content is an ASCII representation of X.509 format.

     


  3. Click Ok to exit.