Client Certificates - AudioCodes Mediant 1000 User Manual

User's Manual
Save the certificate in a file (e.g., cert.txt) and make sure it is a plain-text file with the
5.
"BEGIN CERTIFICATE" header. Below is an example of a Base64-Encoded X.509
Certificate.
-----BEGIN CERTIFICATE-----
MIIDkzCCAnugAwIBAgIEAgAAADANBgkqhkiG9w0BAQQFADA/MQswCQYDVQQGEwJG
UjETMBEGA1UEChMKQ2VydGlwb3N0ZTEbMBkGA1UEAxMSQ2VydGlwb3N0ZSBTZXJ2
ZXVyMB4XDTk4MDYyNDA4MDAwMFoXDTE4MDYyNDA4MDAwMFowPzELMAkGA1UEBhMC
RlIxEzARBgNVBAoTCkNlcnRpcG9zdGUxGzAZBgNVBAMTEkNlcnRpcG9zdGUgU2Vy
dmV1cjCCASEwDQYJKoZIhvcNAQEBBQADggEOADCCAQkCggEAPqd4MziR4spWldGR
x8bQrhZkonWnNm+Yhb7+4Q67ecf1janH7GcN/SXsfx7jJpreWULf7v7Cvpr4R7qI
JcmdHIntmf7JPM5n6cDBv17uSW63er7NkVnMFHwK1QaGFLMybFkzaeGrvFm4k3lR
efiXDmuOe+FhJgHYezYHf44LvPRPwhSrzi9+Aq3o8pWDguJuZDIUP1F1jMa+LPwv
REXfFcUW+w==
-----END CERTIFICATE-----
Before continuing, set the parameter, HTTPSOnly = 0 to make sure you have a
6.
method of accessing the device in case the new certificate is not working. Restore the
previous setting after testing the configuration.
In the SSLCertificateSR Web page, locate the server certificate upload section.
7.
Click Browse and locate the cert.txt file, then click Send File.
8.
When the operation is complete, save the configuration and restart the device. The
9.
Web server now uses the provided certificate.
Note 1:
Note 2:

16.1.5 Client Certificates

By default, Web servers using SSL provide one-way authentication. The client is certain
that the information provided by the Web server is authentic. When an organizational PKI is
in place, two-way authentication may be desired: both client and server should be
authenticated using X.509 certificates. This is achieved by installing a client certificate on
the management PC, and uploading the same certificate (in base64-encoded X.509
format) to the Mediant 1000's Trusted Root Certificate Store. The Trusted Root Certificate
file should contain both the certificate of the authorized user, and the certificate of the CA.
Since X.509 certificates have an expiration date and time, the Mediant 1000 must be
configured to use NTP (Network Time Protocol) to obtain the current date and time.
Without a correct date and time, client certificates cannot work.
To install a client certificate, take these 5 steps:
Before continuing, set HTTPSONLY=0 to make sure you have a method of accessing
1.
the device in case the client certificate is not working. Restore the previous setting
after testing the configuration.
To upload the Trusted Root Certificate file, go to the SSLCertificateSR Web page as
2.
above and locate the trusted root certificate upload section.
Click Browse and locate the file, then click Send File.
3.
Version 4.6
The certificate replacement process may be repeated as necessary, e.g.,
when the new certificate expires.
It is possible to set the subject name to the IP address of the device (e.g.,
"10.3.3.1") instead of a qualified DNS name. This practice is not
recommended, since the IP address is subject to changes and may not
uniquely identify the device.
281
16. Appendix - Security
August 2005