In this section:
The Public Key Infrastructure (PKI) provides a common set of infrastructure features supporting public key and certificate-based authentication based on the RSA public/private key pairs and X.509 digital certificates. In previous SBC versions, the RSA key pairs and Certificate Signing Request (CSR) for SBC platforms were generated on an external workstation. The CSR was then submitted to a Certificate Authority, and the resulting certificate was received back from the CA, copied onto the workstation, and combined with the private key in a PKCS#12 file which was used to install the key pair and certificate onto the SBC. The SBC application can now generate and install RSA key pairs and generate Certificate Signing Request (CSR) on the SBC system itself. The certificate request is sent to a CA, and the issued certificate is then installed on the SBC. The local-internal certificate option simplifies the certificates and keys managing process and also provides more security since the private key never leaves the SBC. Local-Internal certificates are installed from a PEM-encoded certificate file. The filename often ends in a .pem or .crt extension. These files are base64-encoded ASCII, not binary files. For steps to configure local-internal certificates, see Generating PKI Certificates. Certificate file format: PEM Local certificates are credentials belonging to the local system itself, which it presents to peers in order to prove their identity. You must upload local certificate files in PKCS#12 format to the system before installing the certificates. For Cloud SBC plaftorms, you must upload the local certificate files to both the active and standby nodes. Certificate file format: PKCS#12 Remote certificates are credentials belonging to Certificate Authorities (CA). The copies of these certificates are installed in the SBC because they are either part of a chain of certificates the local system will present to peers, or because the corresponding CAs are trust anchors for the local system. You should also install certificates belonging to non-CA remote systems as trust anchors in this manner. You must upload remote certificate files in DER format to the system before installing the remote certificates. For Cloud SBC plaftorms, you must upload the remote certificate files to both the active and standby nodes. The Certificate Authority (CA) certificates and trusted remote certificates contain public key certificates; they do not contain the private keys. The CA certificates and remote certificates are Distinguished Encoding Rules (DER) format files; a method for encoding a data object (such as an X.509 certificate) which uses a digital signature to bind together a public key with an identity. Certificate file format: DERCertificate Types
Local-Internal Certificates
Local Certificates
Remote Certificates
The SBC supports a maximum of 4,096 TLS certificates/CAs (both local and remote). The SBC allows importing of a single certificate in a single file only. If a CA provides a .p12 or a .pfx certificate bundle with multiple CA certificates in it, extract the certificates from the bundle, store them in separate files, and import them separately.
Perform the following steps to create a new Certificate.
Complete the fields using the table below for guidance.
Parameter | Description |
---|---|
Name | Specifies the name of the certificate. |
State | Enable this flag to enable the use of the certificate once it has been installed. The options are:
|
File Name |
File Name format:
|
Pass Phrase | Specifies the Pass-phrase to decrypt RSA private key in PKCS#12 file. |
Type | Use this object to specify the type of certificate:
|
On the SBC main screen, go to Configuration > Security Configuration > PKI > Certificate.
The Certificate window displays.
Perform the following steps to edit a Certificate in the list.
Perform the following steps to copy a created Certificate, and to make any minor changes.
Perform the following steps to delete a Certificate.
Click the radio button next to the specific Certificate to highlight the row.
The Certificate Command window displays at the bottom of the screen.
Command options:
When you select the certificate command Generate CSR, and click Select, the following dialog displays:
SBC supports SAN Support from 4.0.2 release.
The Subjective Alternative Name (SAN) is an X509 version 3 extension that allows an SSL certificate to specify multiple names that the certificate should match. This allows you to secure a large number of domains with only one certificate. Even when SAN contains eMail addresses, IP Addresses, Regular DNS Host Name, and so on, SBC now supports only DNS Host Name.
The Lync 2013 video call requires a unique FQDN to identify SBC. This FQDN is not the same as the one used by the Mediation server for regular Audio Only calls. Since SBC now requires 2 FQDN to place bothe Audio and Video calls on Lync using static route from Lync FE, SBC local certificate must contain both the FQDNs for CN and SAN. This is required for a successful TLS connection set up between Lync and SBC.
To continue, select "Key Size", enter "Csr Sub" name and click generateCSR. The Certificate Signing Request (CSR) is generated similar to the example below:
Click OK to exit.
When you select the certificate command Import Cert, and click Select the following dialog displays:
You can cut-and-paste the returned certificate content from Certificate Authority (CA) in the certContent
field on the pop-up window and click importCert to complete the task.
To continue, enter "Cert Content" description and click importCert.
Once the certificate is successfully imported, return to the Certificate screen and change State to "enabled" to enable the certificate.
The following are the Certificate parameters:
Parameter | Description |
---|---|
|
At least one of the following keys must be specified in the csr subject name.
Where:
Example:
|
| The size in bits of the key pair to generate the private key.
|
Subject Alternative Dns Name | Specifies the names of the alternative DNS subjects. Multiple alternative names can be specified using "," (comma) as a separator. For example: "nj.example.com, in.example.com, uk.example.com, ca.example.com, tx.example.com" This field is available from 4.0.2 release. |
The Retrieve Cert Content command extracts the complete certificate information including the serial number and the validity period.
From the Certificate Commands window, select Retrieve Cert Content command.
You cannot view the Private Key in the retrieved certificate content.
The following window appears:
Click retrieveCertContent to proceed and to view the complete information of the certificate. The Message window appears providing all the information of the certificate.
This certificate content is an ASCII representation of X.509 format.
Click OK to exit.