In this section:

Previously, the RSA key pairs and Certificate Signing Request (CSR) for SBC was generated on an external workstation. The CSR was submitted to a Certificate Authority, and the resulting certificate was received back from the CA, copied onto the workstation, and combined with the private key in a PKCS#12 file. That PKCS#12 file could then be used to install the key pair and certificate onto the SBC.

The SBC Core is enhanced to generate and install the RSA key pairs and generate Certificate Signing Request (CSR) on theSBC 5000 series system. The certificate request is sent to a CA and the issued certificate is then installed on the SBC application. The certificates and keys managing process is simplified and also provides more security since the private key never leaves the SBC application.

 

SBC supports three types of certificates:

  • local
  • local-remote
  • remote

Note

The SBC supports a maximum of 4,096 TLS certificates/CAs (both local and remote).

To View Certificate

On SBC main screen, go to Configuration > Security Configuration > PKI > Certificate. The Certificate window is displayed.

Security Configuration - PKI - Certificate

 

To Edit Certificate

To edit any of the Certificate in the list, click the radio button next to the specific Certificate name.

Security Configuration - PKI - Certificate Highlighted

 

The Edit Selected Certificate window is displayed below.

Security Configuration - PKI - Certificate Edit Window

 

Make the required changes and click Save at the right hand bottom of the panel to save the changes made.

To Create Certificate

To create a new Certificate, click New Certificate tab on the Certificate List panel.

Security Configuration - Ipsec Protection Profile Fields

 

The Create New Certificate window is displayed.

Security Configuration - PKI - Certificate Create Window

 

The following fields are displayed:

Pki - Certificate Parameters

 

Parameter

Description

Name

Specifies the name of the certificate.

State

Enable this flag to enable the use of the certificate once it has been installed. The options are:

  • disabled (default)
  • enabled

File Name

<filename>.pem Enter the PEM filename and set state to "enabled" to install the certificate.

Pass Phrase Specifies the Pass-phrase to decrypt RSA private key in PKCS12 file.
Type

Use this object to specify the type of certificate:

  • local – Certificate belongs to (has as its subject) the local system itself; the key pair and CSR were generated elsewhere
  • local-internal – Certificate belongs to (has as its subject) the local system itself; the key pair and CSR were generated on this machine.
  • remote Certificate belongs to (has as its subject) a remote entity such as a CA or a peer device.

To Copy Certificate

To copy any of the created Certificate and to make any minor changes, click the radio button next to the specific Certificate to highlight the row.

Security Configuration - PKI - Certificate Highlighted

 

Click Copy Certificate tab on the Certificate List panel.

Security Configuration - PKI - Certificate Fields

 

The Copy Selected Certificate window is displayed along with the field details which can be edited.

Security Configuration - PKI - Certificate Copy Window

 

Make the required changes to the required fields and click Save to save the changes. The copied Certificate is displayed at the bottom of the original Certificate in the Certificate List panel.

To Delete Certificate

To delete any of the created Certificate, click the radio button next to the specific Certificate which you want to delete.

Security Configuration - PKI - Certificate Highlighted

 

Click Delete at the end of the highlighted row. A delete confirmation message appears seeking your decision.

Security Configuration - PKI - Certificate Delete Confirmation

 

Click Yes to remove the specific Certificate from the list.

Certificate Commands

Click the radio button next to the specific Certificate to highlight the row.

The Certificate Command window is displayed at the bottom of the screen.

Security Configuration - PKI - Certificate Commands

 

The Generate CSR keyword is added to generate the CSR and display it on the screen. The Import Cert keyword is added to import signed certificate. To view the complete content of the certificate, use Retrieve Cert Content command.

Generate CSR Command

When you select the certificate command Generate CSR, and click Select, the following dialog displays:

Security Configuration - PKI - Certificate Commands - GenerateCSR

 

SAN Support

SBC supports SAN Support from 4.0.2 release.

The Subjective Alternative Name (SAN) is an X509 version 3 extension that allows an SSL certificate to specify multiple names that the certificate should match. This allows you to secure a large number of domains with only one certificate. Even when SAN contains eMail addresses, IP Addresses, Regular DNS Host Name, and so on, SBC now supports only DNS Host Name.

The Lync 2013 video call requires a unique FQDN to identify SBC. This FQDN is not the same as the one used by the Mediation server for regular Audio Only calls. Since SBC now requires 2 FQDN to place bothe Audio and Video calls on Lync using static route from Lync FE, SBC local certificate must contain both the FQDNs for CN and SAN. This is required for a successful TLS connection set up between Lync and SBC.

To continue, select "Key Size", enter "Csr Sub" name and click generateCSR. The Certificate Signing Request (CSR) is generated similar to the example below:

Security Configuration - PKI - Certificate Commands - GenerateCSR Certificate Signing Request

 

Click Ok to exit.

Import Cert Command

When you select the certificate command Import Cert, and click Select the following dialog displays:

Security Configuration - PKI - Certificate Commands - ImportCert

 

You can cut-and-paste the returned certificate content from Certificate Authority (CA) in the certContent field on the pop-up window and click importCert to complete the task.

To continue, enter "Cert Content" description and click importCert.

Once the certificate is successfully imported, return to the Certificate screen and change State to "enabled" to enable the certificate.

The following are the Certificate parameters:

Certificate Parameters

 

Parameter

Description

csrSub

<csr subject name> The name of the CSR subject using the following format.

At least one of the following keys must be specified in the csr subject name.

/C=<xx>/ST=<xx>/L=<string>/O=<string>/CN=<string>

Where:

  • C = 2-digit country abbreviation
  • ST = 2-digit state or province abbreviation
  • L = Locality name
  • O = Organization name
  • CN = Common Name

Example:

/C=US/ST=MA/L=Westford/O=Example Inc./CN=www.example.com

keySize 

The size in bits of the key pair to generate the private key.

  • keySize1k – 1024 bits

  • keySize2k (default) – 2048 bits

Subject Alternative Dns Name

Specifies the names of the alternative DNS subjects. Multiple alternative names can be specified using "," (comma) as a separator.

For example:

"nj.example.com, in.example.com, uk.example.com, ca.example.com, tx.example.com"

This field is available from 4.0.2 release.

Retrieve Cert Content

The Retrieve Cert Content command extracts the complete certificate information including the serial number and the validity period. On the Certificate Commands window, select Retrieve Cert Content command.

Private Key cannot be viewed in the retrieved certificate content.

The following window appears:

Retrieve Cert Content Command window

 

Click retrieveCertContent to proceed and to view the complete information of the certificate. The Message window appears providing all the information of the certificate.

This certificate content is an ASCII representation of X.509 format.

Retrieve Cert Content Message

 

Click OK to exit.

 

  • No labels