Manage Certificates And Revocation; Configure Certificate Validation Settings - Polycom realpresence group series Administrator's Manual

Manage Certificates and Revocation

If your organization has deployed a public key infrastructure (PKI) for securing connections between
devices on your network, Polycom recommends that you have a strong understanding of certificate
management and how it applies to RealPresence Group Series products before you integrate these
products with the PKI.
RealPresence Group systems can use certificates to authenticate network connections to and from the
Polycom RealPresence Group system. Other web applications also use certificates, as you might notice
when you navigate the Internet. The system uses configuration and management techniques typical of PKI
to manage certificates, certificate signing requests, and revocation checking. ANSI X.509 standards
regulate the characteristics of certificates and revocation.
RealPresence Group systems can generate requests for certificates (CSRs) that can be then sent to a
certificate authority (CA) for official issuance. The CA is the trusted entity that issues, or signs, digital
certificates for others. Once signed by the CA, you can install the certificate on the RealPresence Group
system for use in all TLS connections used by the system.
RealPresence Group systems support, and typically require, the generation and use of two separate
certificates when used in an environment that has a fully deployed PKI:
1 A Server certificate—the RealPresence Group system's web server presents this certificate after
receiving connection requests from browsers attempting to connect to the RealPresence Group
system web interface.
2 A Client certificate—the RealPresence Group system presents this certificate to a remote server
when challenged to provide a certificate as part of authenticating the identity of the RealPresence
Group system before allowing it to connect to the remote server. Examples of remote servers
include the RealPresence
directory server.
When RealPresence Group systems are deployed in an environment that does not have a fully deployed
PKI, you do not need to install these certificates because all RealPresence Group systems automatically
generate self-signed certificates that can be used to establish secure TLS connections. However, when a
full PKI has been deployed, self-signed certificates are not trusted by the PKI and so signed certificates must
be used. The following sections describe how to generate and use certificates by using the Polycom
RealPresence Group system web interface.

Configure Certificate Validation Settings

Certificates are authorized externally when they are signed by the CA. The certificates can be automatically
validated when they are used to establish an authenticated network connection. To perform this validation,
the RealPresence Group system must have certificates installed for all CAs that are part of the trust chain.
A trust chain is the hierarchy of CAs that have issued certificates from the device being authenticated,
through the intermediate CAs that have issued certificates to the various CAs, leading back to a root CA,
which is a known trusted CA. The following sections describe how to install and manage these certificates.
A certificate exchange is between a server and a client, both of which are peers. When a user is accessing
the RealPresence Group system web interface, the RealPresence Group system is the server and the web
browser is the client application. In other situations, such as when the RealPresence Group system
connects to LDAP directory services, the RealPresence Group system is the client and the LDAP directory
server is the server.
Polycom, Inc.
®
Resource Manager system, a SIP proxy/registrar server, or an LDAP
Security
148