In this section:


The Public Key Infrastructure (PKI) provides a common set of infrastructure features supporting public key and certificate-based authentication based on the RSA public/private key pairs and X.509 digital certificates.

Certificate Types

Local-Internal Certificates

In previous SBC versions, the RSA key pairs and Certificate Signing Request (CSR) for SBC platforms were generated on an external workstation. The CSR was then submitted to a Certificate Authority, and the resulting certificate was received back from the CA, copied onto the workstation, and combined with the private key in a PKCS#12 file, which was used to install the key pair and certificate onto the SBC.

The SBC application can now generate and install RSA key pairs and generate Certificate Signing Request (CSR) on the SBC system itself. The certificate request is sent to a CA, and the issued certificate is then installed on the SBC. The local-internal certificate option simplifies the certificates and keys managing process and also provides more security since the private key never leaves the SBC. For steps to configure local-internal certificates, see Generating PKI Certificates.

Certificate file format: PEM

Local Certificates

Local certificates are credentials belonging to the local system, which it presents to peers to prove their identity. You must upload local certificate files to the system before installing the certificates. For Cloud SBC platforms, you must upload the local certificate files to active and standby nodes.

Certificate file format: PKCS#12 containing both the local SBC certificate and corresponding private key, or the local certificate and corresponding private key in PEM or DER format.

Remote Certificates

Remote certificates are credentials belonging to Certificate Authorities (CA). The copies of these certificates are installed in the SBC because they are either part of a chain of certificates the local system will present to peers, or because the corresponding CAs are trust anchors for the local system. You should also install certificates belonging to non-CA remote systems as trust anchors in this manner. You must upload remote certificate files in DER format to the system before installing the remote certificates. For Cloud SBC platforms, you must upload the remote certificate files to active and standby nodes.

The Certificate Authority (CA) certificates and trusted remote certificates contain public key certificates; they do not contain the private keys. The CA certificates and remote certificates are Distinguished Encoding Rules (DER) format files, a method for encoding a data object (such as an X.509 certificate) that uses a digital signature to bind together a public key with an identity.

Certificate file format: DER


Upload PKI Certificates

From the EMA, choose a path:

  • All > System > Security > PKI
  • Configuration > Security Configuration > PKI

The Commands window displays.


Procedure:

  1. Click Select, and from the drop-down list, choose Upload Certificate.
    The "Upload Certificate" dialog displays.
  2. Click Choose File and then navigate to the local certificate location and select the file. 
  3. Click the 'Save' button to save your selection and start the file upload.