AdminGuide:Service:SSLSettings/en

Da Kalliope Wiki.
Jump to navigation Jump to search
Questa pagina è una versione tradotta della pagina AdminGuide:Service:SSLSettings; la traduzione è completa al 95 %.
Altre lingue:

Return to AdminGuide:Service

Description

The SSL (Secure Sockets Layer) settings section contains the management of trusted CAs (Certification Authorities).

Configuration

System settings, ssl.png

To reach the SSL settings section you can follow the path "System settings > SSL Settings" as shown in the right figure.

Trusted CA Management

This section contains the list of Certification Authorities of phone vendors that the pbx considers valid to authenticate a client certificate.

The server certificate is rarely issued directly from one of the CAs on the phone, since they are no-root CAs. Often certificates are issued by intermediate CAs.

N.B. It is important to remember the correct sequence of the chain: root CA > intermediate CA > server certificates


The root CA issues a certificate to an intermediate CA and the intermediate CA issues the server certificates. You have to upload the server certificate consisting of the actual certificate and private key and the intermediate CAs that are used to build the chain of trust up to the root CA.

The certificates must be put together inside a single .pem file. The phone then provides the client certificate, the certificate is validated by the pbx using the trusted CAs in the panel.

If the certificate is deemed valid and both the CN (common name) and MAC address match the file it is requesting, then everything matches, the session closes, and the download of the provisioning file can start.

While on browsers intermediate CAs are often preloaded, on phones, for reasons of memory occupancy there are only root CAs. If we load the server certificate signed by an intermediate (signed by a root CA) on the machine, but the server passes only its own certificate and not the intermediate one to the phone, it is not considered valid by the phone.

It is then necessary to upload both the intermediate CA and the server certificate.

Server certificate management

In this section you can upload the server certificate in a single .pem file.

By default, on all Kalliope, there is a self-assigned certificate that is issued by a self-generated, in-house CA.

You can create a new CSR certificate (Certificate Signing Request) by clicking on "Create new CSR" and entering:

the details of the new certificate:

  • Country
  • State
  • Locality
  • Organization
  • Organizational unit
  • Common name
  • E-mail


Create new csr.PNG

Local CA Management

In this section you can observe the Root Certificate Details and the Certificates List.

It is also possible to:

  • Emit new certificate and to insert:

new certificate details and Subject Alternative Names:

    • Install as server certificate
    • Country
    • State
    • Locality
    • Organization
    • Organizational unit
    • Common name
    • E-mail
  • Download root certificate (.pem)
  • Download root certificate (.der)
  • Delete local CA
Estratto da "https://www.kalliope.com/wiki/index.php?title=AdminGuide:Service:SSLSettings/en&oldid=17841"