Version 5.2 203 September 2007
SIP User's Manual 5. Web-based Management
3. In the 'Subject Name' field, enter the DNS name, and then click Generate CSR. A
textual certificate signing request, that contains the SSL device identifier, is displayed.
4. Copy this text and send it to your security provider; the security provider (also known
as Certification Authority or CA) signs this request and send you a server certificate for
the device.
5. Save the certificate in a file (e.g., cert.txt). Ensure the file is a plain-text file with the
‘BEGIN CERTIFICATE’ header. Below is an example of a Base64-Encoded X.509
Certificate.
-----BEGIN CERTIFICATE-----
MIIDkzCCAnugAwIBAgIEAgAAADANBgkqhkiG9w0BAQQFADA/MQswCQYDVQQGEwJGUj
ETMBEGA1UEChMKQ2VydGlwb3N0ZTEbMBkGA1UEAxMSQ2VydGlwb3N0ZSBTZXJ2ZXVy
MB4XDTk4MDYyNDA4MDAwMFoXDTE4MDYyNDA4MDAwMFowPzELMAkGA1UEBhMCRlIxEz
ARBgNVBAoTCkNlcnRpcG9zdGUxGzAZBgNVBAMTEkNlcnRpcG9zdGUgU2VydmV1cjCC
ASEwDQYJKoZIhvcNAQEBBQADggEOADCCAQkCggEAPqd4MziR4spWldGRx8bQrhZkon
WnNm`+Yhb7+4Q67ecf1janH7GcN/SXsfx7jJpreWULf7v7Cvpr4R7qIJcmdHIntmf7
JPM5n6cDBv17uSW63er7NkVnMFHwK1QaGFLMybFkzaeGrvFm4k3lRefiXDmuOe+FhJ
gHYezYHf44LvPRPwhSrzi9+Aq3o8pWDguJuZDIUP1F1jMa+LPwvREXfFcUW+w==
-----END CERTIFICATE-----
6. Before continuing, set the parameter HTTPSOnly to 0 to ensure you have a method of
accessing the device in case the new certificate doesn’t work. Restore the previous
setting after testing the configuration.
7. In the 'Certificates Files' pane, click the Browse button corresponding to 'Send Server
Certificate...', navigate to the cert.txt file, and then click Send File.
8. When the operation is completed, save the configuration (refer to 'Saving
Configuration' on page 256) and restart the gateway; the Embedded Web Server uses
the provided certificate.
Notes:
• The certificate replacement process can be repeated when necessary
(e.g., the new certificate expires).
• It is possible to use the IP address of the gateway (e.g., 10.3.3.1) instead
of a qualified DNS name in the Subject Name. This is not recommended
since the IP address is subject to changes and may not uniquely identify
the device.
• The server certificate can also be loaded via ini file using the parameter
HTTPSCertFileName.
5.9.4.2 Client Certificates
By default, Web servers using SSL provide one-way authentication. The client is certain
that the information provided by the Web server is authentic. When an organizational PKI is
used, two-way authentication may be desired: both client and server should be
authenticated using X.509 certificates. This is achieved by installing a client certificate on
the managing PC, and loading the same certificate (in base64-encoded X.509 format) to
the gateway Trusted Root Certificate Store. The Trusted Root Certificate file should contain
both the certificate of the authorized user and the certificate of the CA.
To Next Page
Loading...
Need help?
General