refer to Generating PKI Certificates.
Local Certificates
Local certificates are credentials belonging to the local system itself, which it presents to peers in order to prove its identity. You have to download local certificate files to the system before installing the certificates.
Remote Certificates
Remote certificates are credentials belonging to Certificate Authorities (CA). The copies of these certificates are installed in the
because they are part of a chain of certificates the local system will present to peers, or because the corresponding CAs are trust anchors for the local system. Certificates belonging to non-CA remote systems should also be installed as trust anchors in this manner.The Certificate Authority (CA) certificates and trusted remote certificates contain public key certificates; they do not contain the private keys. The CA certificates and remote certificates are Distinguished Encoding Rules (DER) format files; a method for encoding a data object (such as an X.509 certificate) which uses a digital signature to bind together a public key with an identity.
The
imports these certificates from Distinguished Encoding Rules (DER) formatted files.| Include Page |
|---|
| Max_Nbr_TLS_Certs |
|---|
| Max_Nbr_TLS_Certs |
|---|
|
RSA Key Pairs and Certificate Signing Requests
In previous versions, the RSA key pairs and Certificate Signing Request (CSR) for
platforms were generated on an external workstation. The CSR was then submitted to a Certificate Authority, and the resulting certificate was received back from the CA, copied onto the workstation, and combined with the private key in a PKCS#12 file which was used to install the key pair and certificate onto the .The application can now generate and install RSA key pairs and generate Certificate Signing Request (CSR) on the system itself. The certificate request is sent to a CA, and the issued certificate is then installed on the . This feature simplifies the certificates and keys managing process and also provides more security since the private key never leaves the . To configure PKI certificates, see Generating PKI Certificates.
Certificate Re-Check and Expiry Warning
The has a configurable option to check for expired certificates, trust anchor validity, and if certificates have been revoked if OSCP is enabled. The re-check rate is configurable via CLI from every 8 hours up to every 30 days in increments of 1 hour. The default value is once per 24 hour period.
Upon failure of any one of the checks (for example, the certificate is no longer valid), the terminates the TLS session and logs a MAJOR level event (sonusSbxFailedCertificateReCheck) to alert the user. The one exception will be if OSCP is enabled but does not receive revocation status of successful.good or successful.revoked, the corresponding TLS session continues for SIP/TLS. The
supports SHA-256 Cryptographic Hash Algorithm for certificate verification.The also includes a configurable option via CLI to set certificate expiry warning rates.
- Use the
expiryWarningThreshold parameter to set the number of days prior to a certificate expiration to send a warning message. - Use
expirationPeriodicWarning parameter to set the frequency, in days, for sending periodic warning reminders once the expiryWarningThreshold has been met.
The logs an event in the DBG and SEC logs at a high severity level when a local or remote certification installed on the is within 60 days of its expiration date. The event repeats weekly until the certification is replaced or deleted (even after it has expired).
| Note |
|---|
Disabled certificates are not included in the certificate expiry warning check. |
For configuration details,