AdminGuide:Service:SSLSettings/en

Da Kalliope Wiki.
Versione del 24 lug 2022 alle 15:22 di Troccoli (discussione | contributi) (Creata pagina con "By default, on all Kalliope, there is a self-assigned certificate that is issued by a self-generated, in-house CA.")
(diff) ← Versione meno recente | Versione attuale (diff) | Versione più recente → (diff)
Jump to navigation Jump to search
Altre lingue:

Return to AdminGuide:Service

Description

The SSL (Secure Sockets Layer) settings section contains the management of trusted CAs (Certification Authorities).

Configuration

Managing trusted CAs

This section contains the list of Certification Authorities of phone vendors that the pbx considers valid to authenticate a client certificate.

The server certificate is rarely issued directly from one of the CAs on the phone, since they are no-root CAs. Often certificates are issued by intermediate CAs.

N.B.' It is important to remember the correct sequence of the chain: root CA > intermediate CA > server certificates


The root CA issues a certificate to an intermediate CA and the intermediate CA issues the server certificates. You have to upload the server certificate consisting of the actual certificate and private key and the intermediate CAs that are used to build the chain of trust up to the root CA.

The certificates must be put together inside a single .pem. file. The phone then provides the client certificate, the certificate is validated by the pbx using the trusted CAs in the panel.

If the certificate is deemed valid and both the CN (common name) and MAC address match the file it is requesting, then everything matches, the session closes, and the download of the provisioning file can start.

While on browsers intermediate CAs are often preloaded, on phones, for reasons of memory occupancy there are only root CAs. If we load the server certificate signed by an intermediate (signed by a root CA) on the machine, but the server passes only its own certificate and not the intermediate one to the phone, it is not considered valid by the phone.

It is then necessary to upload both the intermediate CA and the server certificate.

Server certificate management

In this section you can upload the server certificate in a single .pem file.

By default, on all Kalliope, there is a self-assigned certificate that is issued by a self-generated, in-house CA.

A new certificate can be issued by entering:

the details of the new certificate:

  • Install as a server certificate
  • State
  • Province
  • Location
  • Entity
  • Department
  • Common name
  • E-mail

Additional identities.

Estratto da "https://www.kalliope.com/wiki/index.php?title=AdminGuide:Service:SSLSettings/en&oldid=17213"