In this section:
The Public Key Infrastructure (PKI) provides a common set of infrastructure features supporting public key and certificate-based authentication based on the RSA public/private key pairs and X.509 digital certificates.
Certificate Types
Local-Internal Certificates
In previous SBC versions, the RSA key pairs and Certificate Signing Request (CSR) for SBC platforms were generated on an external workstation. The CSR was then submitted to a Certificate Authority, and the resulting certificate was received back from the CA, copied onto the workstation, and combined with the private key in a PKCS#12 file which was used to install the key pair and certificate onto the SBC.
The SBC application can now generate and install RSA key pairs and generate Certificate Signing Request (CSR) on the SBC system itself. The certificate request is sent to a CA, and the issued certificate is then installed on the SBC. The local-internal certificate option simplifies the certificates and keys managing process and also provides more security since the private key never leaves the SBC. For steps to configure local-internal certificates, see Generating PKI Certificates.
Local Certificates
Local certificates are credentials belonging to the local system itself, which it presents to peers in order to prove its identity. You have to download local certificate files to the system before installing the certificates.
Remote Certificates
Remote certificates are credentials belonging to Certificate Authorities (CA). The copies of these certificates are installed in the SBC because they are part of a chain of certificates the local system will present to peers, or because the corresponding CAs are trust anchors for the local system. Certificates belonging to non-CA remote systems should also be installed as trust anchors in this manner.
The Certificate Authority (CA) certificates and trusted remote certificates contain public key certificates; they do not contain the private keys. The CA certificates and remote certificates are Distinguished Encoding Rules (DER) format files; a method for encoding a data object (such as an X.509 certificate) which uses a digital signature to bind together a public key with an identity.
The SBC imports these certificates from Distinguished Encoding Rules (DER) formatted files.
Note
The SBC supports a maximum of 4,096 TLS certificates/CAs (both local and remote).
Command Syntax
Set Command Syntax
% set system security pki certificate <certificate name> fileName <1-255 characters> passPhrase <pass phrase> state <disabled | enabled> type <local | local-internal | remote> % show system security pki % delete system security pki
Request Command Syntax
% request system security generateSipHeaderEncryptionKeys pki certificate <certificate name> generateCSR csrSub (max 255 chars) keySize (ketSize1K | keySize2K) subjectAlternativeDnsName (0-512 chars) importCert certContent (max 4096 chars) retrieveCertContent uploadCertificate
Command Parameters
Set Parameters
set system security Parameters
Parameter | Description |
|---|---|
|
|
| Certificate content filename. |
| Specifies the pass-phrase to decrypt RSA private key in PKCS12 file. Note: The |
| Administration state of this certificate. Options are:
The certificate must first be installed on the SBC before enabling it. |
| Specifies the certificate type – CA (remote) certificate or local certificate. Options are:
|
Request Parameters
request system security Parameters Parameter Description Use this command to generate header encryption keys. A "Success" or "Failure" indication is returned. The SBC then adds the key-Id to each encrypted header based on which key is selected as the correct key for decryption. The SBC stores up to two sets of keys at any given time. There is no limit to the number of times this command may be executed. Additionally, there is no specific time delay required before reissuing the command. NOTE: Generating new keys too frequently may lead to a situation where the SBC receives a request with an expired key-id (i.e. the current header encryption key is over-written due to the new key generation) causing unsuccessful decryption of headers. This may lead to call failures any calls caught in the transition to the new key-id. PKI certification configuration details.
generateSipHeaderEncryptionKeyspkicertificate The name for a collection of certificates configured on SBC.<certificateName> –generateCSR – Use this parameter to generate CSR (Certificate Signing Request).csrSub – CSR subject name (max 255 chars). Place the parameter value within quotation marks if a string contains a space.keySize – Size of the key to generate private key via openssl command.keySize1KkeySize2KsubjectAlternativeDnsName – Alternative DNS subject name(s). Multiple alternative names can be specified using "," (comma) separator. (0-512 chars). Example: "nj.sonusnet.com, in.sonusnet.com, uk.sonusnet.com, ca.sonusnet.com, tx.sonusnet.com"importCert certContent – Import PEM format certificate (max 4096 characters).
Note: When issuing this command, the SBC enables multi-line mode automatically. To exit multi-line mode you must press Ctrl+D manually.retrieveCertContent – Retrieve content of an existing PKI certificate (local, local-internal and remote).uploadCertificate – Upload a pk12 certificate.
Command Example
To display security management configuration:
% show system security pki certificate
certificate testSBCCert {
state enabled;
fileName sonuscert.pem
type local-internal;
}
certificate defaultSBCCert {
state enabled;
fileName sonuscert.p12;
passPhrase $3$KFfiuJ0Lifk=;
type local;
}
Overview
Content Tools