In this section:
Previously, the RSA key pairs and Certificate Signing Request (CSR) for SBC was generated on an external workstation. The CSR was submitted to a Certificate Authority, and the resulting certificate was received back from the CA, copied onto the workstation, and combined with the private key in a PKCS#12 file. That PKCS#12 file could then be used to install the key pair and certificate onto the SBC.
The SBC Core is enhanced to generate and install the RSA key pairs and generate Certificate Signing Request (CSR) on theSBC 5000 series system. The certificate request is sent to a CA and the issued certificate is then installed on the SBC application. The certificates and keys managing process is simplified and also provides more security since the private key never leaves the SBC application.
SBC supports three types of certificates:
local
local-remote
remote
The SBC supports a maximum of 4,096 TLS certificates/CAs (both local and remote).
On SBC main screen, go to Configuration > Security Configuration > PKI > Certificate. The Certificate window is displayed.
To edit any of the Certificate in the list, click the radio button next to the specific Certificate name.
The Edit Selected Certificate window is displayed below.
Make the required changes and click Save at the right hand bottom of the panel to save the changes made.
To create a new Certificate, click New Certificate tab on the Certificate List panel.
The Create New Certificate window is displayed.
The following fields are displayed:
Parameter | Description |
---|---|
| Specifies the name of the certificate. |
| Enable this flag to enable the use of the certificate once it has been installed. The options are:
|
|
|
Pass Phrase | Specifies the Pass-phrase to decrypt RSA private key in PKCS12 file. |
Type | Use this object to specify the type of certificate:
|
To copy any of the created Certificate and to make any minor changes, click the radio button next to the specific Certificate to highlight the row.
Click Copy Certificate tab on the Certificate List panel.
The Copy Selected Certificate window is displayed along with the field details which can be edited.
Make the required changes to the required fields and click Save to save the changes. The copied Certificate is displayed at the bottom of the original Certificate in the Certificate List panel.
To delete any of the created Certificate, click the radio button next to the specific Certificate which you want to delete.
Click Delete at the end of the highlighted row. A delete confirmation message appears seeking your decision.
Click Yes to remove the specific Certificate from the list.
Click the radio button next to the specific Certificate to highlight the row.
The Certificate Command window is displayed at the bottom of the screen.
The Generate CSR
keyword is added to generate the CSR and display it on the screen. The Import Cert
keyword is added to import signed certificate. To view the complete content of the certificate, use Retrieve Cert Content
command.
When you select the certificate command Generate CSR, and click Select, the following dialog displays:
SBC supports SAN Support from 4.0.2 release.
The Subjective Alternative Name (SAN) is an X509 version 3 extension that allows an SSL certificate to specify multiple names that the certificate should match. This allows you to secure a large number of domains with only one certificate. Even when SAN contains eMail addresses, IP Addresses, Regular DNS Host Name, and so on, SBC now supports only DNS Host Name.
The Lync 2013 video call requires a unique FQDN to identify SBC. This FQDN is not the same as the one used by the Mediation server for regular Audio Only calls. Since SBC now requires 2 FQDN to place bothe Audio and Video calls on Lync using static route from Lync FE, SBC local certificate must contain both the FQDNs for CN and SAN. This is required for a successful TLS connection set up between Lync and SBC.
To continue, select "Key Size", enter "Csr Sub" name and click generateCSR. The Certificate Signing Request (CSR) is generated similar to the example below:
Click Ok to exit.
When you select the certificate command Import Cert, and click Select the following dialog displays:
You can cut-and-paste the returned certificate content from Certificate Authority (CA) in the certContent
field on the pop-up window and click importCert to complete the task.
To continue, enter "Cert Content" description and click importCert.
Once the certificate is successfully imported, return to the Certificate screen and change State to "enabled" to enable the certificate.
The following are the Certificate parameters:
Parameter | Description |
---|---|
|
At least one of the following keys must be specified in the csr subject name.
Where:
Example:
|
| The size in bits of the key pair to generate the private key.
|
Subject Alternative Dns Name | Specifies the names of the alternative DNS subjects. Multiple alternative names can be specified using "," (comma) as a separator. For example: "nj.example.com, in.example.com, uk.example.com, ca.example.com, tx.example.com" This field is available from 4.0.2 release. |
The Retrieve Cert Content command extracts the complete certificate information including the serial number and the validity period. On the Certificate Commands window, select Retrieve Cert Content
command.
Private Key cannot be viewed in the retrieved certificate content.
The following window appears:
Click retrieveCertContent to proceed and to view the complete information of the certificate. The Message window appears providing all the information of the certificate.
This certificate content is an ASCII representation of X.509 format.
Click OK to exit.