Reference11r1:Certificate names and trust relationships: Difference between revisions
| (One intermediate revision by the same user not shown) | |||
| Line 20: | Line 20: | ||
not needed | not needed | ||
== Registration of phones using H323/TLS == | == Registration of phones and interfaces using H323/TLS == | ||
=== Authentication using username and password === | === Authentication using username and password === | ||
;Certificate of the PBX: | ;Certificate of the PBX: | ||
| Line 32: | Line 32: | ||
;Certificate of the PBX: | ;Certificate of the PBX: | ||
no requirements | no requirements | ||
;Certificate of the Phone: | ;Certificate of the Phone/Gateway: | ||
* trusted by the PBX | * trusted by the PBX | ||
* The CN value of the certificate is included in the registration name or the hardware ID (e.g. 0090332f688a or IP222-2f-68-8a). More specific the registration name must start with the CN value of the certificate. | * The CN value of the certificate is included in the registration name or the hardware ID (e.g. 0090332f688a or IP222-2f-68-8a). More specific the registration name must start with the CN value of the certificate. Note that while phones will use their plain serial number as registration name if not configured otherwise, gateway interfaces will use their serial number followed by the interface name (e.g.. <code>009033010203-TEL1</code>). | ||
Note: if you are using | Note: if you are using ''Softwarephone for Windows'' or ''myPBX for Android'' or ''myPBX for iOS'' and you have not installed your own certificate on these devices, it's necessary to trust the certificate of the endpoint itself in the PBX (download certificate from endpoint then upload certificate to PBX). This is because these devices will by default use a self-signed certificate, so each device certificate has a different issuer (which is the device itself). | ||
[[Category:Concept|Certificate names and trust relationships]] | [[Category:Concept|Certificate names and trust relationships]] | ||
Latest revision as of 16:17, 9 June 2017
Applies To
This information applies to
- all innovaphone devices from V11r1
Overview
In TLS connections certificates are used for validating the identity of the server, or optionally the client as well. The certificate validation involves the following two main types of checks:
- Trust
- Is the certificate itself in the trust list? Is any of the CAs in the certificate chain in the trust list?
- Naming
- Does one of the names in the certificate match the name of the remote endpoint? For example if you open
https://www.example.comthe web browser checks if the certificate contains "www.example.com" as a name.
This article summarizes the requirements to trust relationships and certificate names in different scenarios.
HTTPS or secure websocket access from a browser
- Certificate of the Device
- trusted by the browser
- CN or DNS name in the certificate has to match the host name or the IP address from the requested URL
- Certificate of the browser
not needed
Registration of phones and interfaces using H323/TLS
Authentication using username and password
- Certificate of the PBX
no requirements
- Certificate of the Phone
no requirements
Note: If the flag "TLS Only" it's set at the User Object then this type of registration will not be possible since the certificate of the endpoint must be trusted by the PBX.
Authentication using certificate
- Certificate of the PBX
no requirements
- Certificate of the Phone/Gateway
- trusted by the PBX
- The CN value of the certificate is included in the registration name or the hardware ID (e.g. 0090332f688a or IP222-2f-68-8a). More specific the registration name must start with the CN value of the certificate. Note that while phones will use their plain serial number as registration name if not configured otherwise, gateway interfaces will use their serial number followed by the interface name (e.g..
009033010203-TEL1).
Note: if you are using Softwarephone for Windows or myPBX for Android or myPBX for iOS and you have not installed your own certificate on these devices, it's necessary to trust the certificate of the endpoint itself in the PBX (download certificate from endpoint then upload certificate to PBX). This is because these devices will by default use a self-signed certificate, so each device certificate has a different issuer (which is the device itself).