Table of Contents
Advertisement
H.248 User's Manual
Note 1:
Note 2:
17.2.5 Client Certificates
By default, Web servers using SSL provide one-way authentication. The client is certain
that the information provided by the Web server is authentic. When an organizational PKI is
in place, two-way authentication may be desired: both client and server should be
authenticated using X.509 certificates. This is achieved by installing a client certificate on
the management PC, and uploading the same certificate (in base64-encoded X.509
format) to the MG 3200's Trusted Root Certificate Store. The Trusted Root Certificate file
should contain both the certificate of the authorized user, and the certificate of the CA.
Since X.509 certificates have an expiration date and time, the MG 3200 must be configured
to use NTP (Network Time Protocol) to obtain the current date and time. Without a correct
date and time, client certificates cannot work.
To install a client certificate, take these 5 steps:
1.
Before continuing, set HTTPSONLY=0 to make sure you have a method of accessing
the device in case the client certificate is not working. Restore the previous setting
after testing the configuration.
2.
To upload the Trusted Root Certificate file, go to the SSLCertificateSR Web page as
above and locate the trusted root certificate upload section.
3.
Click Browse and locate the file, then click Send File.
4.
When
HTTPSRequireClientCertificates = 1.
5.
Save the configuration and restart the device.
When a user connects to the secure Web server:
•
If the user has a client certificate from a CA listed in the Trusted Root Certificate
file, the connection is accepted and the user is prompted for the system
password.
•
If both the CA certificate and the client certificate appear in the Trusted Root
Certificate file, the user is not prompted for a password (thus providing a single-
sign-on experience - the authentication is performed using the X.509 digital
signature).
•
If the user does not have a client certificate from a listed CA, or does not have a
client certificate at all, the connection is rejected.
Note :
Version SN09
The certificate replacement process may be repeated as necessary, e.g.,
when the new certificate expires.
It is possible to set the subject name to the IP address of the device (e.g.,
"10.3.3.1") instead of a qualified DNS name. This practice is not
recommended, since the IP address is subject to changes and may not
uniquely identify the device.
the
operation
is
The process of installing a client certificate on your PC is beyond the scope
of this document. For more information, refer to your Web browser or
operating system documentation, and/or consult your security administrator.
complete,
set
325
17. Appendix - Security
the
ini
file
parameter,
October 2006
Advertisement
Table of Contents
Troubleshooting
