In this section:

This section outlines how to import and verify the supplementary certificates.

Caution

If your node has a SHA-2 256 signed server certificate, the SBC does not interoperate with Lync 2010 or earlier OCS/Lync versions. The signature algorithm (sha256WithRSAEncryption) is in the Certificate panel of the SBC Supplementary Certificates screen.

You may use SHA-2 256 CA certificates for the SBA, SBC, and Lync 2013 Servers. Lync 2010 requires all devices to employ all SHA-1 Certificates. For more information, refer to Microsoft's SHA1 Deprecation Policy.

Note

You can import a maximum of 10 supplementary certificates.

You cannot import certificates that have the same Common Name.

Importing Supplementary Certificates

The following procedures outline how to import the X.509 signed certificate and PKCS12 certificate and key.

Prerequisites

You must import a valid Trusted CA certificate before you import a new signed server certificate.

To Import an X.509 Signed Certificate

Use the following procedure to import an X.509 signed certificate.

  1. In the Web UI, click the Settings tab.

  2. Select Security > SBC Certificates > SBC Supplementary Certificates.

  3. Select X.509 Signed Certificate from the Import drop-down menu.
  4. Select one of the following import modes from the Mode drop-down menu:
    • Copy and Paste
      1. Open the file in a text editor and copy the contents.

      2. Paste the contents into the Paste Base64 Certificate field.

      Copy and Paste X.509 Server Certificate

    • File Upload
      1. Click Browse to find the required file.
      2. Click Open.

      Upload X.509 Server Certificate File

  5. Click OK.

To Import a PKCS12 Certificate and Key

Use the following procedure to import a PKCS12 certificate and key.

Note

You must import the PKCS12 certificate as an SBC certificate pair. Do not import the PKCS12 certificate as a chain.

When you import a PKCS12 certificate, you must import the Trusted CA certificates as a chain if there are intermediate CA and root CA certificates.

  1. In the Web UI, click the Settings tab.

  2. Select Security > SBC Certificates > SBC Supplementary Certificates.

  3. Select PKCS12 Certificate and Key from the Import drop-down menu.

    Import PKCS12 Server Certificate

  4. In the Password field, enter the password used to export the certificate.

    Note

    You must use the same password that was used during the certificate and key export.

  5. Click Browse to find the PKCS certificate and key file.

  6. Click Open.
  7. Click OK.

Verifying the Supplementary Certificate

Use the following procedure to verify a supplementary certificate.

Note

The SBC does not support server (SBC 1000/2000) certificates with a 4096 RSA Key because of the amount of time required to generate a key and process calls.

The SBC supports Trusted Root CA certificates with a 4096 RSA Key, but these require further testing.

  1. In the Web UI, click the Settings tab.

  2. Select Security > SBC Certificates > SBC Supplementary Certificates.

  3. Expand the details of the certificate you want to verify.

    Supplementary Certificate Details Example

     

    • Enhanced Key Usage: This field displays the enhanced key usage, which outlines the purpose of the subject's public key. For compatibility with some browsers, the SBC requires the TLS Web Server Authentication usage.

    • Key Usage: This field displays the key usage to define the purpose of the key in the certificate. For compatibility with some browsers, the SBC does not allow the non-repudiation service.

  4. In the Certificate panel, make sure that
    1. the Enhanced Key Usage field displays TLS Web Server Authentication, and

    2. the Verify Status field displays OK.

      Note

      Reimport the supplementary certificate to obtain a valid certificate if the Verify Status field does not display OK.

      Note

      Most browsers require the Enhanced Key Usage field for certificate acceptance based on use purpose.

  • No labels