Version 7.0 123 Mediant 3000
User's Manual 11. Configuring SSL/TLS Certificates
11 Configuring SSL/TLS Certificates
The TLS Contexts page lets you configure X.509 certificates, which are used for secure
management of the device, secure SIP transactions, and other security applications.
Notes:
• The device is shipped with an active, default TLS setup. Thus, configure
certificates only if required.
• Since X.509 certificates have an expiration date and time, you must configure the
device to use Network Time Protocol (NTP) to obtain the current date and time
from an NTP server. Without the correct date and time, client certificates cannot
work. For configuring NTP, see ''Configuring Automatic Date and Time using
SNTP'' on page 137.
• Only Base64 (PEM) encoded X.509 certificates can be loaded to the device.
11.1 Configuring TLS Certificate Contexts
The TLS Contexts table lets you configure a TLS certificates, referred to as a TLS Context.
The Transport Layer Security (TLS), also known as Secure Socket Layer (SSL), is used to
secure the device's SIP signaling connections, Web interface, and Telnet server. The
TLS/SSL protocol provides confidentiality, integrity, and authenticity between two
communicating applications over TCP/IP. TLS Contexts are applicable to Gateway and
SBC calls.
The device is shipped with a default TLS Context (ID 0 and string name "default"), which
includes a self-generated random private key and a self-signed server certificate. The
subject name for the default certificate is "ACL_nnnnnnn", where nnnnnnn denotes the
serial number of the device. The default TLS Context can be used for SIP over TLS (SIPS)
or any other supported application such as Web (HTTPS), Telnet, and SSH. The default
TLS Context cannot be deleted.
A TLS Context can be configured with the following:
Context ID and name
TLS version - SSL 2.0 (only for TLS handshake), SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2)
Encryption ciphers for server and client - DES, RC4 compatible, Advanced Encryption
Standard (AES)
Online Certificate Status Protocol (OCSP). Some Public-Key Infrastructures (PKI) can
revoke a certificate after it has been issued. You can configure the device to check
whether a peer's certificate has been revoked, using the OCSP. When OCSP is
enabled, the device queries the OCSP server for revocation information whenever a
peer certificate is received (IPSec, TLS client mode, or TLS server mode with mutual
authentication).
Private key - externally created and then uploaded to device
X.509 certificates - self-signed certificates or signed as a result of a certificate signing
request (CSR)
Trusted root certificate authority (CA) store (for validating certificates)
To use a TLS Context for SIPS, you can assign it to a Proxy Set and/or SIP Interface
associated with the IP Group for which you want to employ TLS certificates. When the
device establishes a TLS connection (handshake) with a SIP user agent (UA), the TLS
Context is determined as follows:
Incoming calls:
To Next Page
Loading...
