Configuring Ssl/Tls Certificates; Configuring Tls Certificate Contexts - AudioCodes Mediant 4000 SBC User Manual

User's Manual
10

Configuring SSL/TLS Certificates

The TLS Contexts table lets you configure X.509 certificates which are used for secure
management of the device, secure SIP transactions, and other security applications.
Note:
•
The device is shipped with an active, default TLS setup. Configure certificates only
if required.
•
Since X.509 certificates have an expiration date and time, you must configure the
device to use Network Time Protocol (NTP) to obtain the current date and time
from an NTP server. Without the correct date and time, client certificates cannot
work. To configure NTP, see ''Configuring Automatic Date and Time using SNTP''
on page 159.
•
Only Base64 (PEM) encoded X.509 certificates can be loaded to the device.
10.1

Configuring TLS Certificate Contexts

The TLS Contexts table lets you configure up to 100 TLS certificates, referred to as TLS
Contexts. The Transport Layer Security (TLS), also known as Secure Socket Layer (SSL)
can be used to secure the device's SIP signaling connections or SIP over TLS (SIPS), Web
(HTTPS) sessions, Telnet sessions and SSH sessions. The TLS/SSL protocol provides
confidentiality, integrity, and authenticity between two communicating applications over
TCP/IP.
The device is shipped with a default TLS Context (configured in row index 0 and called
"default"), which includes a self-generated random private key and a self-signed server
certificate. The subject name of the default certificate is "ACL_nnnnnnn", where nnnnnnn
denotes the serial number of the device.
Note:
•
The default TLS Context cannot be deleted.
•
The default TLS Context can be used for SIPS or any other supported application
such as Web (HTTPS), Telnet, and SSH.
•
If you configure new TLS Contexts, you can use them only for SIPS.
•
If a TLS Context for an existing TLS connection is changed during the call by the
user agent, the device ends the connection.
You can configure each TLS Context with the following:

TLS version (SSL 3.0, TLS 1.0, TLS 1.1 and TLS 1.2)

Encryption ciphers for server and client - DES, RC4 compatible, Advanced Encryption
Standard (AES)

TLS certificate expiry check, whereby the device periodically checks the validation
date of the installed TLS server certificates and sends an SNMP trap event if a
certificate is nearing expiry. To configure TLS certificate expiry check, see
''Configuring TLS Server Certificate Expiry Check'' on page 117.

Online Certificate Status Protocol (OCSP). Some Public-Key Infrastructures (PKI) can
revoke a certificate after it has been issued. You can configure the device to check
whether a peer's certificate has been revoked, using the OCSP. When OCSP is
enabled, the device queries the OCSP server for revocation information whenever a
Version 7.2
10. Configuring SSL/TLS Certificates
103 Mediant 4000 SBC