 To change the subject name and regenerate the self-signed certificate:
1. Before you begin, ensure the following:
• You have a unique DNS name for the device (e.g.,
dns_name.corp.customer.com). This name is used to access the device and
should therefore, be listed in the server certificate.
• No traffic is running on the device. The certificate generation process is disruptive
to traffic and should be executed during maintenance time.
2. Open the Certificates page (see 'Replacing the Device's Certificate' on page 101).
3. In the 'Subject Name [CN]' field, enter the fully-qualified DNS name (FQDN) as the
certificate subject, select the desired private key size (in bits), and then click Generate
self-signed; after a few seconds, a message appears displaying the new subject
name.
4. Save the configuration with a device reset (see 'Saving Configuration' on page 624)
for the new certificate to take effect.
11.5 Configuring Certificate Revocation Checking (OCSP)
Some Public-Key Infrastructures (PKI) can revoke a certificate after it has been issued.
You can configure the device to check whether a peer's certificate has been revoked, using
the Online Certificate Status Protocol (OCSP). When OCSP is enabled, the device queries
the OCSP server for revocation information whenever a peer certificate is received (IPSec,
TLS client mode, or TLS server mode with mutual authentication).
 To configure OCSP:
1. Open the General Security Settings page (Configuration tab > VoIP menu >
Security > General Security Settings).
Figure 11-4: OCSP Parameters
2. Configure the OCSP parameters as required. For a description of these parameters,
see OCSP Parameters on page 787.
3. Click Submit.
Notes:
• The device does not query OCSP for its own certificate.
• Some PKIs do not support OCSP but generate Certificate Revocation
Lists (CRLs). For such cases, set up an OCSP server such as OCSPD.
11.6 TLS Server Certificate Expiry Check
The device can periodically check the validation date of the installed TLS server certificate.
This periodic check interval is user-defined. In addition, within a user-defined number of
days before the installed TLS server certificate expires, the device can be configured to
To Next Page
Loading...
Need help?
General
