Reference12r2:General/Certificates

From innovaphone wiki
Jump to navigation Jump to search
There are also other versions of this article available: Reference7 | Reference9 | Reference12r2 (this version)

Trust list

This list contains the certificates to be accepted for TLS secured connections (e.g. HTTPS, SIPS). You can add either individual endpoint certificates or a CA certificate if you want to accept all certificates issued by that CA.

Remove: Remove the selected certificate.
Clear: Remove all certificates from the trust list.
Details: Click the name of a certificate to view its details.
Download: Download a single certificate by clicking the PEM- or DER-link, respectively.
Download all: Download the complete trustlist as a PEM-encoded text file. You can upload that file to another box.
Upload: Select a local certificate file from your computer and press the Upload button to add it to the trust list. You can upload either DER- or PEM-encoded certifiates. PEM-files may contain multiple certificates.

Rejected certificates

This list contains the certificate chains that were rejected before, while trying to establish a secure TLS connection. This happens for example if the certificate is expired or neither the certificate nor any of the issuing CAs is trusted. If one of that certificates should be trusted for future connections you can select and add it to the trust list, directly.

An untrusted certificate chain which is missing the root certificate (the one that is self-signed) is shown as Unknown CA. If the root is present, it is shown as Untrusted CA. It is usually sufficient to add the root certificate to the trust list. However, in case of an Unknown CA, you need to add the last intermediate certificate to the trust list in order to accept the certificate.

Trust: Add the selected certificates to the trust list and remove the corresponding chains from the rejected certificates.
Clear: Discard all rejected certificate chains.
Details: Click the name of a certificate to view its details.

Certificate Validity

For certificates that have already expired or will expire in the near future, the PBX generates an alarm with the message "A certificate has expired or will expire soon".

Since version 12r2sr41, validity alarms are only generated if a matching certificate with longer validity has not already been installed.

Device certificate

The device certificate can be used by remote TLS endpoints to authenticate the identity of the device. In general this is not a single certificate but a chain containing the device certificate and the certificates of the intermediate CAs up to the root CA. A TLS connection can only be established if the remote endpoint trusts at least one of that certificates.

Trust: Add the selected certificates to the trust list.
Clear: This button is only displayed if a certificate was installed by the user, before. Click this button to discard the current device certificate and restore the standard certificate.
Renew: This button is only displayed if no certificate was installed by user, before. Click this button to renew the automatically generated standard certificate.
Details: Click the name of a certificate to view its details.
Download: Download a single certificate from the chain by clicking the PEM or DER-link, respectively.
Create new: Click this link to create a new self-singed certificate or certificate request.
Upload: Select a local certificate file and press the "Upload" button. You can upload a single certificate corresponding to the private key of a previously created certificate request in both PEM or DER-format. Instead of that you can upload a complete certificate chain containing the corresponding private key as a PEM-encoded text file, too (.pfx file format is OK). You can supply a password if the file is encrypted.

Application certificates

The application certificates are certificates for specific domains that are used by applications like SIP. The application uses the certificate that matches the own domain. So if you have a PBX with domain "example.com", SIP will fetch the certificate that has "example.com" as its common name.

Trust: Add the selected certificates to the trust list.
Remove: Deletes the selected application certificates from the box.
Details: Click the name of a certificate to view its details.
Download: Download a single certificate from the chain by clicking the PEM or DER-link, respectively.
Create new: Click this link to create a new self-singed certificate or certificate request.
Upload: Select a local certificate file and press the "Upload" button. You can upload a single certificate corresponding to the private key of a previously created certificate request in both PEM or DER-format. Instead of that you can upload a complete certificate chain containing the corresponding private key as a PEM-encoded text file, too.

Signing request

A certificate signing request contains a public key and an identity. While the correponding private key is kept secret, the request is being sent to a CA. It will issue an appropriate certificate for the public key after it verified the identity.

Details: Click the name of the signing request to view its details.
Download: Download the signing request by clicking the PEM- or DER-link, respectively.
Remove: Discard the current signing request and the corresponding private key. As an implication certificates for that key cannot be installed, any more.

Uploading the response certificate from a CA

See section about device or application certificate upload.

Related Article

Reference12r2:Certificate management