In this section:
This topic explains how to generate and install RSA key pairs and generate Certificate Signing Request (CSR) on the SBC Core systems. The certificate request is then sent to a CA, and the issued certificate is then installed on the SBC. This feature simplifies the certificates and keys managing process, and also provides more security than previous methods since the private key never leaves the SBC system. For feature description, see Certificate Management.
The SBC supports a maximum of 4,096 TLS certificates/CAs (both local and remote).
The SBC allows importing of a single certificate in a single file only. If a CA provides a .p12 or a .pfx certificate bundle with multiple CA certificates in it, extract the certificates from the bundle, store them in separate files, and import them separately.
Generate RSA Key Pairs and CSRs Using EMA
- Login to EMA GUI.
Create a configuration object to hold a locally generated RSA key pair.
On the main screen, go to one of the following locations:
All > System > Security > PKI > Certificate
Configuration > Security Configuration > PKI > Certificate
The Certificate screen is displayed.
Click New Certificate.
The following fields are displayed:
Parameter
Description
Name
Specifies the name of the certificate.
State
Leave as Disabled (default value). File Name
NAPass Phrase
NA Type
From the drop-down list select local-internal. Click Save to save the changes. The new Certificate is displayed at the bottom of the original Certificate in the Certificate List panel.
Generate Key pair and CSR (certificate signing request) for submission to a Certificate Authority (CA):
Select newly-created certificate from the list. The Certificate screen refreshes with the newly-created certificate object, and now displays the Edit Selected Certificate and Certification Commands options in the lower pane.
Select Generate CSR option from the Certificate Commands drop-down menu, and click Select. The SBC Generate CSR Command dialog is displayed.
The following are the Certificate parameters:
Parameter
Description
key Size
The size in bits of the key pair to generate the private key.
keySize1k
– 1024 bitskeySize2k
– 2048 bitskeySize4k
(default) – 4096 bitskeySizeEcDsaSecp521r1 -
Generates public and private keys for the Elliptic Curve DSA (Digital Signature Algorithm) certificate. The parameter keySizeEcDsaSecp521r1 maps to elliptic curve parameter named secp521r1 - NIST/SECG curve over a 521-bit prime field.
Csr Subscription
<csr subject name>
The name of the CSR subject using the following format./C=<xx>/ST=<xx>/L=<string>/O=<string>/CN=<string>
Where:
- C = 2-digit country abbreviation
- ST = 2-digit state or province abbreviation
- L = Locality name
- O = Organization name
- CN = Common Name
Example:
/C=US/ST=MA/L=Westford/O=Ribbon Inc./CN=www.mydomain.com
Subject Alternative Dns Name
Specifies the names of the alternative DNS subjects. Multiple alternative names can be specified using "," (comma) as a separator.
(Max: 4096 characters)
For example:
"nj.mydomain.com, in.mydomain.com, uk.mydomain.com, ca.mydomain.com, tx.mydomain.com"
Make the required changes to the required fields and click generateCSR. The CSR displays in an alert message similar to below:
- Copy-paste CSR content. Two methods are described below:
- Firefox: Click-and-drag your mouse pointer to highlight the text, then do a Ctrl+C, Ctrl+V to copy and paste contents elsewhere.
Internet Explorer: Click the alert message, and then perform a Ctrl-A to select it, a Ctrl-C to copy contents, and a Ctrl-V to paste contents elsewhere.
- Firefox: Click-and-drag your mouse pointer to highlight the text, then do a Ctrl+C, Ctrl+V to copy and paste contents elsewhere.
Contact CA to request a certificate using the generated CSR results.
See CSR Subject Field Syntax for descriptions of the fields.
Generate RSA Key Pairs and CSRs Using CLI
- Login to the SBC CLI, and switch to Configure mode.
Create a configuration object to hold a locally generated RSA key pair:
% set system security pki certificate <certName> type local-internal
Generate Key pair and CSR for submission to a Certificate Authority (CA):
% request system security pki certificate <certName created from step 2> generateCSR csrSub <csrSub> keySize <keySize>
- Contact CA to request certificate using the generated CSR.
Once CA issues the certificate, place the certificate in SBC at
/opt/sonus/external/<PEM_filename>
and install the certificate using the command:% set system security pki certificate <certName> filename <PEM_filename> state enabled
Import Certificate Using EMA
Use one of the following methods to import certificate:
Use importCert Command:
On the main screen, go to one of the following locations:
All > System > Security > PKI > Certificate
Configuration > Security Configuration > PKI > Certificate
Click the radio button next to the specific Certificate which you want to import.
Select importCert from Certificate Commands drop-down menu, and click Select. The SBC importCert Command pop-up dialog is displayed.
- Copy and paste the returned certificate content from the CA to the Cert Content field.
Click importCert to import the certificate content to the SBC.
Copy certificate to /opt/sonus/external:
- Once CA issues the certificate, place the certificate in the SBC directory:
/opt/sonus/external/<PEM_filename>
On the main screen, go to one of the following locations:
All > System > Security > PKI > Certificate
Configuration > Security Configuration > PKI > Certificate
Click the radio button next to the specific Certificate which you want to copy.
- From the Edit Selected Certificate screen, click File Name field and enter the PEM filename.
Set State to Enabled and click Save.
For command details, see following pages:
- EMA: PKI - Certificate
- CLI: PKI Security - CLI