SIP User's Manual 204 Document #: LTRT-68806
Mediant 2000 & TP-1610 & TP-260/UNI
Since X.509 certificates have an expiration date and time, the gateway must be configured
to use NTP (refer to 'Simple Network Time Protocol Support' on page 372) to obtain the
current date and time. Without a correct date and time, client certificates cannot work.
¾ To enable two-way client certificates, take these 6 steps:
1. Before continuing, set HTTPSOnly to 0 to ensure you have a method of accessing the
device in case the client certificate doesn’t work. Restore the previous setting after
testing the configuration.
2. Open the ‘Certificates Signing Request' screen (Advanced Configuration menu >
Security Settings submenu > Certificates option); the ‘Certificates Signing Request'
screen is displayed (refer to 'Server Certificate Replacement' on page 202).
3. To load the Trusted Root Certificate file, locate the trusted root certificate loading
section.
4. Click Browse, navigate to the file, and then click Send File.
5. When the operation is completed, set the ini file parameter,
HTTPSRequireClientCertificates to 1.
6. Save the configuration (refer to 'Saving Configuration' on page 256), and then restart
the gateway.
When a user connects to the secure Web server:
îš„ If the user has a client certificate from a CA listed in the Trusted Root Certificate file,
the connection is accepted and the user is prompted for the system password.
îš„ If both the CA certificate and the client certificate appear in the Trusted Root
Certificate file, the user is not prompted for a password (thus providing a single-sign-
on experience - the authentication is performed using the X.509 digital signature).
 If the user doesn’t have a client certificate from a listed CA, or doesn’t have a client
certificate at all, the connection is rejected.
Notes:
• The process of installing a client certificate on your PC is beyond the
scope of this document. For more information, refer to your Web browser
or operating system documentation, and/or consult your security
administrator.
• The root certificate can also be loaded via ini file using the parameter
HTTPSRootFileName.
5.9.4.3 Self-Signed Certificates
The gateway is shipped with a operational, self-signed server certificate. The subject name
for this default certificate is 'ACL_nnnnnnn', where nnnnnnn denotes the serial number of
the gateway. However, this subject name may not be appropriate for production and can
be changed while still using self-signed certificates.
To Next Page
Loading...
Need help?
General