Page History

Previously, the RSA key pairs and Certificate Signing Request (CSR) for SBC was generated on an external workstation. The CSR was submitted to a Certificate Authority, and the resulting certificate was received back from the CA, copied onto the workstation, and combined with the private key in a PKCS#12 file. That PKCS#12 file could then be used to install the key pair and certificate onto the SBC.

Managing Certificates

To Create a Certificate

Perform the following steps to create a new Certificate.

1. Click New Certificate tab on the Certificate List panel.
   
   
   The Create New Certificate window displays.
   
   
   
   

2. Complete the fields using the table below for guidance.

   Parameter	Description
   Name	Specifies the name of the certificate.
   State	Enable this flag to enable the use of the certificate once it has been installed. The options are: Disabled (default) Enabled
   File Name	<filename> – Enter the filename and set state to "enabled" to install the certificate. File Name format: Local-Internal: PKCS12PEM Local: PEM PKCS#12 Remote: DER
   Pass Phrase	Specifies the Pass-phrase to decrypt RSA private key in PKCS12 PKCS#12 file.
   Type	Use this object to specify the type of certificate: Local-internal – Certificate belongs to (has as its subject) the local system itself; the key pair and CSR were generated on this machine. Local – Certificate belongs to (has as its subject) the local system itself; the key pair and CSR were generated elsewhere Remote – Certificate belongs to (has as its subject) a remote entity such as a CA or a peer device.

   
   

3. Click Save to save your changes.

To View a Certificate

On the SBC main screen, go to Configuration > Security Configuration >PKI > Certificate.

The Certificate window displays.

To Edit a Certificate

Perform the following steps to edit a Certificate in the list.

1. Click the radio button next to the specific Certificate name.
   
   
   The Edit Selected Certificate window displays.
   
   
   
2. Make the necessary changes, and click Save to save your changes.

To Copy a Certificate

Perform the following steps to copy a created Certificate, and to make any minor changes.

1. Click the radio button next to the specific Certificate to highlight the row.
   
   
   
2. Click Copy Certificate tab on the Certificate List panel.
   
   
   The Copy Selected Certificate window displays, along with the editable field details.
   
   
   
3. Make the necessary changes to the required fields, and click Save to save the changes.
   The copied Certificate is displays at the bottom of the original Certificate in the Certificate List panel.

To Delete a Certificate

Perform the following steps to delete a Certificate.

1. Click the radio button next to the specific Certificate which you want to delete.
   
   
   
2. Click Delete at the end of the highlighted row.
   
   A delete confirmation message appears seeking your decision.
   
   
   
3. Click Yes to remove the specific Certificate from the list.

Certificate Commands

Click the radio button next to the specific Certificate to highlight the row.

The Certificate Command window displays at the bottom of the screen.

Caption
0 Figure 1 Security Configuration - PKI - Certificate Commands

Command options:

• Use the Generate CSR keyword to generate the CSR and display it on the screen.
• Use the Import Cert keyword to import signed certificate.
• To view the complete content of the certificate, use the Retrieve Cert Content command.

Generate CSR Command

When you select the certificate command Generate CSR, and click Select, the following dialog displays:

Caption
0 Figure 1 Security Configuration - PKI - Certificate Commands - GenerateCSR

SAN Support

The Subjective Alternative Name (SAN) is an X509 version 3 extension that allows an SSL certificate to specify multiple names that the certificate should match. This allows you to secure a large number of domains with only one certificate. Even when SAN contains eMail addresses, IP Addresses, Regular DNS Host Name, and so on, SBC now supports only DNS Host Name.

The Lync 2013 video call requires a unique FQDN to identify SBC. This FQDN is not the same as the one used by the Mediation server for regular Audio Only calls. Since SBC now requires 2 FQDN to place bothe Audio and Video calls on Lync using static route from Lync FE, SBC local certificate must contain both the FQDNs for CN and SAN. This is required for a successful TLS connection set up between Lync and SBC.

To continue, select "Key Size", enter "Csr Sub" name and click generateCSR. The Certificate Signing Request (CSR) is generated similar to the example below:

Caption
0 Figure 1 Security Configuration - PKI - Certificate Commands - GenerateCSR Certificate Signing Request

Click OK to exit.

Import Cert Command

When you select the certificate command Import Cert, and click Select the following dialog displays:

Caption
0 Figure 1 Security Configuration - PKI - Certificate Commands - ImportCert

To continue, enter "Cert Content" description and click importCert.

Once the certificate is successfully imported, return to the Certificate screen and change State to "enabled" to enable the certificate.

The following are the Certificate parameters:

Retrieve Cert Content

The Retrieve Cert Content command extracts the complete certificate information including the serial number and the validity period.

From the Certificate Commands window, select Retrieve Cert Content command.

The following window appears:

Caption
0 Figure 1 Retrieve Cert Content Command window

Click retrieveCertContent to proceed and to view the complete information of the certificate. The Message window appears providing all the information of the certificate.

Caption
0 Figure 1 Retrieve Cert Content Message

Click OK to exit.