In this section:
Previously, the RSA key pairs and Certificate Signing Request (CSR) for SBC was generated on an external workstation. The CSR was submitted to a Certificate Authority, and the resulting certificate was received back from the CA, copied onto the workstation, and combined with the private key in a PKCS#12 file. That PKCS#12 file could then be used to install the key pair and certificate onto the SBC.
The
SBC supports three types of certificates:
local
local-remote
remote
The SBC supports a maximum of 4,096 TLS certificates/CAs (both local and remote). The SBC allows importing of a single certificate in a single file only. If a CA provides a .p12 or a .pfx certificate bundle with multiple CA certificates in it, extract the certificates from the bundle, store them in separate files, and import them separately.
On SBC main screen, go to Configuration > Security Configuration > PKI > Certificate. The Certificate window is displayed.
To edit any of the Certificate in the list, click the radio button next to the specific Certificate name.
The Edit Selected Certificate window is displayed below.
Make the required changes and click Save at the right hand bottom of the panel to save the changes made.
To create a new Certificate, click New Certificate tab on the Certificate List panel.
The Create New Certificate window is displayed.
The following fields are displayed:
To copy any of the created Certificate and to make any minor changes, click the radio button next to the specific Certificate to highlight the row.
Click Copy Certificate tab on the Certificate List panel.
The Copy Selected Certificate window is displayed along with the field details which can be edited.
Make the required changes to the required fields and click Save to save the changes. The copied Certificate is displayed at the bottom of the original Certificate in the Certificate List panel.
To delete any of the created Certificate, click the radio button next to the specific Certificate which you want to delete.
Click Delete at the end of the highlighted row. A delete confirmation message appears seeking your decision.
Click OK to remove the specific Certificate from the list.
Click the radio button next to the specific Certificate to highlight the row.
The Certificate Command window is displayed at the bottom of the screen.
The Generate CSR
keyword is added to generate the CSR and display it on the screen. The Import Cert
keyword is added to import signed certificate. To view the complete content of the certificate, use Retrieve Cert Content
command.
When you select the certificate command Generate CSR, and click Select, the following dialog displays:
SBC supports SAN Support from 4.0.2 release.
The Subjective Alternative Name (SAN) is an X509 version 3 extension that allows an SSL certificate to specify multiple names that the certificate should match. This allows you to secure a large number of domains with only one certificate. Even when SAN contains eMail addresses, IP Addresses, Regular DNS Host Name, and so on, SBC now supports only DNS Host Name.
The Lync 2013 video call requires a unique FQDN to identify SBC. This FQDN is not the same as the one used by the Mediation server for regular Audio Only calls. Since SBC now requires 2 FQDN to place bothe Audio and Video calls on Lync using static route from Lync FE, SBC local certificate must contain both the FQDNs for CN and SAN. This is required for a successful TLS connection set up between Lync and SBC.
To continue, select "Key Size", enter "Csr Sub" name and click generateCSR. The Certificate Signing Request (CSR) is generated similar to the example below:
Click Ok to exit.
When you select the certificate command Import Cert, and click Select the following dialog displays:
You can cut-and-paste the returned certificate content from Certificate Authority (CA) in the certContent
field on the pop-up window and click importCert to complete the task.
To continue, enter "Cert Content" description and click importCert.
Once the certificate is successfully imported, return to the Certificate screen and change State to "enabled" to enable the certificate.
The following are the Certificate parameters:
The Retrieve Cert Content command extracts the complete certificate information including the serial number and the validity period. On the Certificate Commands window, select Retrieve Cert Content
command.
Private Key cannot be viewed in the retrieved certificate content.
The following window appears:
Click retrieveCertContent to proceed and to view the complete information of the certificate. The Message window appears providing all the information of the certificate.
This certificate content is an ASCII representation of X.509 format.
Click OK to exit.