Differenze tra le versioni di "AdminGuide:Service:SSLSettings/en"

Versione delle 12:27, 25 lug 2022

Altre lingue:

English
italiano

Description

The SSL (Secure Sockets Layer) settings section contains the management of trusted CAs (Certification Authorities).

Configuration

To reach the SSL settings section you can follow the path "System settings > SSL Settings" as shown in the right figure.

Trusted CA Management

This section contains the list of Certification Authorities of phone vendors that the pbx considers valid to authenticate a client certificate.

The server certificate is rarely issued directly from one of the CAs on the phone, since they are no-root CAs. Often certificates are issued by intermediate CAs.

N.B.' It is important to remember the correct sequence of the chain: root CA > intermediate CA > server certificates

The root CA issues a certificate to an intermediate CA and the intermediate CA issues the server certificates. You have to upload the server certificate consisting of the actual certificate and private key and the intermediate CAs that are used to build the chain of trust up to the root CA.

The certificates must be put together inside a single .pem. file. The phone then provides the client certificate, the certificate is validated by the pbx using the trusted CAs in the panel.

If the certificate is deemed valid and both the CN (common name) and MAC address match the file it is requesting, then everything matches, the session closes, and the download of the provisioning file can start.

While on browsers intermediate CAs are often preloaded, on phones, for reasons of memory occupancy there are only root CAs. If we load the server certificate signed by an intermediate (signed by a root CA) on the machine, but the server passes only its own certificate and not the intermediate one to the phone, it is not considered valid by the phone.

It is then necessary to upload both the intermediate CA and the server certificate.

Server certificate management

In this section you can upload the server certificate in a single .pem file.

By default, on all Kalliope, there is a self-assigned certificate that is issued by a self-generated, in-house CA.

A new certificate can be issued by clicking on "Create new CSR" and entering:

the details of the new certificate:

Install as a server certificate
Country
State
Locality
Organization
Organizational unit
Common name
E-mail

And Subject Alternative Names.

@@ Riga 10: / Riga 10: @@
 To reach the SSL settings section you can follow the path '''"System settings > SSL Settings"''' as shown in the right figure.
-<div lang="it" dir="ltr" class="mw-content-ltr">
+=== Trusted CA Management ===
-=== Gestione delle CA affidabili ===
+This section contains the list of Certification Authorities of phone vendors that the pbx considers valid to authenticate a client certificate.
-In questa sezione è presente la lista delle Certification Autority dei vendor dei telefoni che la centrale ritiene valide per autenticare un certificato client.
-</div>
 The server certificate is rarely issued directly from one of the CAs on the phone, since they are no-root CAs. Often certificates are issued by intermediate CAs.
@@ Riga 37: / Riga 35: @@
 By default, on all Kalliope, there is a self-assigned certificate that is issued by a self-generated, in-house CA.
-<div class="mw-translate-fuzzy">
+A new certificate can be issued by clicking on "Create new CSR" and entering:
-A new certificate can be issued by entering:
-</div>
 the details of the new certificate:
 * Install as a server certificate
+* Country
 * State
-* Province
+* Locality
-* Location
+* Organization
-* Entity
+* Organizational unit
-* Department
 * Common name
 * E-mail
-Additional identities.
+And Subject Alternative Names.

Differenze tra le versioni di "AdminGuide:Service:SSLSettings/en"

Versione delle 12:27, 25 lug 2022

Indice

Description

Configuration

Trusted CA Management

Server certificate management

Menu di navigazione

Ricerca