Versions Compared

Old Version 3

changes.mady.by.user Ribbon Communications

Saved on

compared with

New Version Current

changes.mady.by.user Ribbon Communications

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Add_workflow_for_techpubs
AUTH1UserResourceIdentifier{userKey=8a00a0c86e9b2550016ec54396b5000a8a00a02355cd1c2f0155cd26cd5909df, userName='null'}
JIRAIDAUTHSBX-126049132045
REV5UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26cb8305e98a00a02355cd1c2f0155cd26cd5909df, userName='null'}
REV6UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26cd5909df, userName='null'}
REV3UserResourceIdentifier{userKey=8a00a0c87befb553017c120ddc7d001c8a00a02355cd1c2f0155cd26cd5b09f6, userName='null'}
REV1UserResourceIdentifier{userKey=8a00a0c86573c09001659db4327e00188a00a02355cd1c2f0155cd26cb870607, userName='null'}


Panel

In this section:

Table of Contents
maxLevel3


Multiexcerpt
MultiExcerptNameCertificate Types

The Public Key Infrastructure (PKI) provides a common set of infrastructure features supporting public key and certificate-based authentication based on the RSA public/private key pairs and X.509 digital certificates.

Certificate Types

Local-Internal Certificates

In previous 

Spacevars
0product
versions, the RSA key pairs and Certificate Signing Request (CSR) for
Spacevars
0product
platforms were generated on an external workstation. The CSR was then submitted to a Certificate Authority, and the resulting certificate was received back from the CA, copied onto the workstation, and combined with the private key in a PKCS#12 file, which was used to install the key pair and certificate onto the
Spacevars
0product
.

The 

Spacevars
0product
application can now generate and install RSA key pairs and generate Certificate Signing Request (CSR) on the 
Spacevars
0product
system itself. The certificate request is sent to a CA, and the issued certificate is then installed on the
Spacevars
0product
. The local-internal certificate option simplifies the certificates and keys managing process and also provides more security since the private key never leaves the
Spacevars
0product
. For steps to configure local-internal certificates, see Generating PKI Certificates.

Certificate file format: PEM

Local Certificates

Local certificates are credentials belonging to the local system, which it presents to peers to prove their identity. You must upload local certificate files in PKCS#12 format to the system before installing the certificates. For Cloud

Spacevars
0product
plaftorms platforms, you must upload the local certificate files to active and standby nodes.

Certificate file format:  PKCS#12PKCS#12 containing both the local SBC certificate and corresponding private key, or the local certificate and corresponding private key in PEM or DER format.

Remote Certificates

Remote certificates are credentials belonging to Certificate Authorities (CA). The copies of these certificates are installed in the

Spacevars
0product
 because they are either part of a chain of certificates the local system will present to peers, or because the corresponding CAs are trust anchors for the local system. You should also install certificates belonging to non-CA remote systems as trust anchors in this manner. You must upload remote certificate files in DER format to the system before installing the remote certificates. For Cloud
Spacevars
0product
platforms, you must upload the remote certificate files to active and standby nodes.

The Certificate Authority (CA) certificates and trusted remote certificates contain public key certificates; they do not contain the private keys. The CA certificates and remote certificates are Distinguished Encoding Rules (DER) format files, a method for encoding a data object (such as an X.509 certificate) that uses a digital signature to bind together a public key with an identity.

Certificate file format: DER


Include Page
_Max_Nbr_TLS_Certs
_Max_Nbr_TLS_Certs

Info
titleNote

The DER content of the certificate being installed must be under 6400 Bytes.


Command Syntax

Set Command Syntax

Code Block
languagenone
% set system security pki certificate <certificate name>
	fileName <1-255 characters>
	passPhrase <pass phrase>
	state <disabled | enabled>
	type <local | local-internal | remote>
	keyFileName <1-255 characters>

% show system security pki
 
% delete system security pki

Request Command Syntax

Multiexcerpt include
MultiExcerptNamesecurity_syntax
nopaneltrue
PageWithExcerptRequest System - CLI

Command Parameters

Info
titleNote

The subjectAlternativeDnsNames field limit is 4096 characters.


Set system security parameters

Parameter

Length/Range

Description

certificate

Up to 23 characters

<certificate name> – The collection of certificates configured name of the certificate object on the SBC.

fileName

Up to 255 characters

<filename> – Certificate content filename in the formatEnter the name of the file that contains the certificate.

Supported file formats:

  • Local-Internal: PEM
  • Local: PKCS#12, PEM, DER
  • Remote: DER, PEM

keyFileName

Up to 255 characters

The name of the file containing the private key in DER/PEM format. Supports up to 255 characters

Leave this parameter empty if importing a PKCS#12 file.

passPhrase

Up to 23 characters

Specifies either the pass-phrase to decrypt the RSA private key in the PKCS#12 file .Note: The passPhrase is limited to 23 charactersor the pass-phrase to decrypt the encrypted private key in the "Key File Name," depending upon the file (PKCS#12, PEM) you import.

state

N/A

Enable this flag to use the certificate once it has been installed. 

  • disabled (default)

Administration state of this certificate. Options are:

  • disabled – Prohibits the PKI certificate from being used by the the
    Spacevars
    0product
     for authenticating remote peers (when this is a remote certificate) OR presenting its own identity (in case of a local or local-internal certificate).
  • enabled – Certificate can be used by is usable by the
    Spacevars
    0product
     for authentication purposes.

You must first install the certificate on the

Spacevars
0product
before enabling it.

type

N/A

type

Specifies the certificate type – CA (remote) certificate or local certificate. Options are:

  • local Certificate belongs to (has as its subject) the local system itself; the key pair and CSR were generated elsewhere.
  • local-internal Certificate belongs to (has as its subject) the local system itself; the key pair and CSR were generated on this machine.
  • remote Certificate belongs to (has as its subject) a remote entity such as a  CA or peer device.

Request Parameters

Multiexcerpt include
MultiExcerptNamesecurity_parameters
nopaneltrue
PageWithExcerptRequest System - CLI

Command Examples

Configuration example for local and remote certificate types:

Code Block
set system security pki certificate SBC_LOCAL fileName sbc_server.p12 passphrase CertPassSecret type local state enabled
set system security pki certificate COMPANY_CA filename company_ca.der type remote state enabled
commit

set system security pki certificate COMPANY_CA filename company_ca.pem type remote state enabled
commit

show system security pki certificate SBC_LOCAL
state      enabled;
fileName   sbc_server.p12;
passPhrase $7$pedr0+bl4Mq95P0ITV/idUlmqRL4xUWR;
type       local;

show system security pki certificate COMPANY_CA
state    enabled;
filename company_ca.der;
type     remote;


Configuration example for local-internal certificate type:

Code Block
set system security pki certificate test3 type local-internal
commit

request system security pki certificate test3 generateCSR csrSub /C=US/ST=MA/L=Westford/O=Ribbon/CN=swe03.ribbon.com keySize keySize2K


After receiving the signed certificate from CA, you can configure the local-internal certificate from a PEM file, or copy-paste the PEM file content (importCert certContent).

Code Block
set system security pki certificate test3 fileName test3.pem state enabled
commit
 
request system security pki certificate test3 importCert certContent

Value for 'certContent' (<string, min: 0 chars, max: 4096 chars>):

[Multiline mode, exit with ctrl-D.]

> -----BEGIN CERTIFICATE-----

MIIDrzCCAxGgAwIBAgIJAOW6z3FjlVbjMAoGCCqGSM49BAMDMEsxCzAJBgNVBAYT

...

Import certificate success.

set system security pki certificate test3 state enabled
commit


Configuration example - Importing PEM/DER certificates and keys:

Code Block
languagenone
set system security pki certificate newcert type local fileName mycert.pem keyFileName mycert.key passPhrase sonus
Commit complete.


Configuration example - The PEM/DER keys are supported:

Code Block
set system security pki certificate newcert4 type local fileName mycert.pem keyFileName mycert.key.der
Commit complete.


Configuration example - The PKCS12 certificates are not supported in FIPS mode:

Code Block
set system security pki certificate myp12 state enabled type local fileName mycert.p12 passPhrase sonus
Aborted: 'system security pki certificate': PKCS12 certs are not supported in FIPS mode; please provide both cert and key as PEM/DER.


Configuration example - Importing encrypted keys without passphrase fails:

Code Block
set system security pki certificate newcert3 type local fileName mycert.pem keyFileName mycert.key.enc
Aborted: 'system security pki certificate': Failed to read private key, please verify key/passphrase