Configuring Certificates; Configuring Tls Certificate Contexts - AudioCodes Mediant 800B User Manual

User's Manual
10

Configuring Certificates

The TLS Contexts page lets you configure X.509 certificates, which are used for secure
management of the device, secure SIP transactions, and other security applications.
Notes:
•
The device is shipped with an active, default TLS setup. Thus, configure
certificates only if required.
•
Since X.509 certificates have an expiration date and time, you must configure the
device to use Network Time Protocol (NTP) to obtain the current date and time
from an NTP server. Without the correct date and time, client certificates cannot
work. For configuring NTP, see Configuring Automatic Date and Time using SNTP
on page 101.

10.1.1 Configuring TLS Certificate Contexts

The TLS Contexts table lets you configure up to 12 TLS certificates, referred to as TLS
Contexts. The Transport Layer Security (TLS), also known as Secure Socket Layer (SSL),
is used to secure the device's SIP signaling connections, Web interface, and Telnet server.
The TLS/SSL protocol provides confidentiality, integrity, and authenticity between two
communicating applications over TCP/IP.
The device is shipped with a default TLS Context (ID 0 and string name "default"), which
includes a self-generated random private key and a self-signed server certificate. The
subject name for the default certificate is "ACL_nnnnnnn", where nnnnnnn denotes the
serial number of the device. The default TLS Context can be used for SIP over TLS (SIPS)
or any other supported application such as Web (HTTPS), Telnet, and SSH.The default
TLS Context cannot be deleted.
The user-defined TLS Contexts are used only for SIP over TLS (SIPS). This enables you
to use different TLS certificates for your IP Groups (SIP entities). This is done by assigning
a specific TLS Context to the Proxy Set and/or SIP Interface associated with the IP Group.
Each TLS Context can be configured with the following:

Context ID and name

TLS version - SSL 2.0 (only for TLS handshake), SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2)

Encryption ciphers for server and client - DES, RC4 compatible, Advanced Encryption
Standard (AES)

Online Certificate Status Protocol (OCSP). Some Public-Key Infrastructures (PKI) can
revoke a certificate after it has been issued. You can configure the device to check
whether a peer's certificate has been revoked, using the OCSP. When OCSP is
enabled, the device queries the OCSP server for revocation information whenever a
peer certificate is received (IPSec, TLS client mode, or TLS server mode with mutual
authentication).

Private key - externally created and then uploaded to device

X.509 certificates - self-signed certificates or signed as a result of a certificate signing
request (CSR)

Trusted root certificate authority (CA) store (for validating certificates)
Version 6.8 89 Mediant 800B Gateway and E-SBC
10. Configuring Certificates