Page History

Add_workflow_for_techpubs

AUTH1	UserResourceIdentifier{userKey=8a00a0c85b2726c2015b58aa779d0003, userName='null'}
JIRAIDAUTH	SYM-27731
REV5	UserResourceIdentifier{userKey=8a00a0c85b2726c2015b58aa779d0003, userName='null'}
REV6	UserResourceIdentifier{userKey=8a00a0c85b2726c2015b58aa779d0003, userName='null'}
REV3	UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26c9d6032b, userName='null'}
REV4	UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26c91d01f9, userName='null'}
REV1	UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26c8e901a1, userName='null'}

You can change the certificate installed on the

Spacevars

0	product

system by obtaining the signed certificate from a Trusted CA or from a local Stand-Alone Windows Certificate Authority, and importing it as outlined in the instructions on this page.

Importing a Server Certificate

Warning

title	Warning: Common Encryption Certificate Issues Arise from Missing Root Certificates

Did you only install the CA-signed SBC certificate, along with the intermediate certificate(s) sent by your issuing CA?
Did you get the following error message from the SBC?

Image Added

If so, the likely reason is a missing CA Root Certificate. The SBC does not have any pre-installed CA root X.509 certificates, unlike typical browsers found on your PC. Ensure the entire certificate chain of trust is installed on the SBC, including the root certificate. Acquire the CA root certificate as follows:

Contact your system administrator or certificate vendor to acquire the root, and any further missing intermediate certificate(s) to provision the entire certificate chain of trust within the SBC;
Load the root certificate, along with the intermediate and SBC certificates, according to Importing Trusted Root CA Certificates.

NOTE: Root certificates are easily acquired from the certificate authorities. For example, the root certificate for the GoDaddy Class 2 Certification Authority may be found at https://ssl-ccp.godaddy.com/repository?origin=CALLISTO . For more information about root certificates, intermediate certificates, and the SBC server (“leaf”) certificates, refer to this tutorial.

For other certificate-related errors, refer to Common Troubleshooting Issues with Certificates in SBC Edge.

Note

title	Before you begin

Before importing a new Signed Server Certificate, you must first import a valid Trusted CA Certificate.

Note

If your node has a SHA-2 256 signed server certificate, the SBC will not interoperate with Lync 2010 or earlier OCS/Lync versions. The signature algorithm ( sha256WithRSAEncryption ) is shown in the Certificate panel of the Sonus

Spacevars

0	company

SBC Certificate page in the UI.

Note

SHA2-256 Certificate Compatibility

SHA2-256 CA Certificates may be used for the SBA, SBC, and Lync 2013 Servers. Lync 2010 requires that all devices employ ALL SHA1 Certificates. For more information see the Microsoft SHA1 Deprecation Policy.

...

Anchor

	import
	import

In the WebUI, click the Settings tab.
In the left navigation pane, go to Security > SBC Certificates > Sonus SBC Edge Certificate.
Panel
borderStyle none
Caption
0 Figure
1 Sonus SBC Edge Certificate

Key Usage Field Descriptions

...

To import an X.509 signed certificate:

Select X.509 Signed Certificate from the Import menu at the top of the page.

Select X.509 Signed Certificate from the Import menu at the top of the page.
Panel
borderStyle none
Caption
0 Figure
1 Import X.509 Signed Certificate

...

Image Removed

Image Added
Chose the import mode (Copy and Paste or File Upload) from the Mode pull-down menu.
Panel
borderStyle none
Caption
0 Figure
1 Import Mode
Image Modified
If you chose File Upload:
1. Use the Browse button to find the file
2. Click OK.
If you choose Copy and Paste:
1. Open the file in a text editor.
2. Paste the contents into the Paste Base64 Certificate text field.
Click OK.

To import a PKCS12 Certificate and Key:

Note

Panel

borderStyle	none

Caption

0	Figure
1	Import PKCS12 Certificate and Key

Image Removed

title	Importing PKCS12 Certificate Guidelines

The PKCS12 certificate must not be a chain, but only as the SBC certificate pair.
When importing a PKCS12 certificate, the Trusted CA certificates must be imported as a chain if there are both intermediate CA and root CA certificates.

...

Select PKCS12 Certificate and Key from the Import menu at the top of the page.
Panel
borderStyle none
Caption
0 Figure
1 Import PKCS12 Server Certificate and Key
Image Removed Image Added
Enter the password used to export the certificate in the Password field.
Panel
borderStyle none
Caption
0 Figure
1 Import PKCS12 Server Certificate
Image Added
Browse for the PKCS certificate and key file.
Info
icon false
You must use the same password as was used when exporting the certificate and key.
Click OK

...

In the Issuer panel, ensure the Common Name field has changed from Self-Signed to the issuer's Common Name.

In the Certificate panel,

Ensure that the Enhanced Key Usage field indicates TLS Web Server Authentication.

Ensure that the Verify Status field indicates OK.
If the Verify Status field does not indicate OK, repeat the steps aboveto obtain a valid certificate.

Info

icon	false

According to RFC3280, the Netscape CertType field is obsolete and has been replaced by the X509v3 Key Usage field.
Most modern browsers require the Enhanced Key Usage field for certificate acceptance based on use purpose.

Panel

borderStyle	none

Caption

0	Figure
1	Verify Signed Server Certificate

Info

icon	false

Server (Sonus
Spacevars
0 company
SBC 1000/2000) certificates with a 4096 RSA Key are not supported due to the amount of time required to generate a key and process calls.
Trusted Root CA certificates with a 4096 RSA Key are supported, but have not been thoroughly tested.

Space shortcuts

Page tree

Versions Compared

Old Version 5

New Version Current

Key

Importing a Server Certificate

Key Usage Field Descriptions