were on isolated networks, but hosted services are becoming increasingly more common. Using a hosted SIP service
requires traffic to be sent over the public internet and thus much more susceptible to attacks. Signed certificates are
important pieces in the operation of Algo devices to ensure the security, integrity, and privacy of device
communication. Algo components that use TLS are Provisioning and SIP Signaling.
Algo devices come pre-loaded with certificates from a list of trusted certificate authorities (CA), which are installed in
the hardware at the time of manufacture. Note these pre-installed trusted certificates are not visible to users and are
separate from the ‘certs’ folder.
The TLS handshake happens to make sure that the client and server can trust each other, and once that trust is
established, the two parties can freely send encrypted data and decrypt any data that they receive. After the TLS
handshake process is complete, a TLS session is established, and the server and client can then exchange messages
that are symmetrically encrypted with a shared (pre-sender) secret key.
For further details reference the Algo TLS guide for SIP Signalling and HTTPS Provisioning.
4.8.1 Uploading Public CA Certificates to Algo SIP Endpoints
If the particular CA Certificate is not installed by factory, you can easily upload your own. To install the public CA
certificate on the Algo 8301, follow the steps below:
1. Obtain a public certificate from your Certificate Authority (Base64 encoded X.509 .pem, .cer, or .crt).
2. In the web interface of the Algo device, navigate to the Advanced Settings → File Manager tab.
3. Upload the certificate files into the 'certs/trusted' directory. Click the Upload button in the top left corner of the
file manager and browse to the certificate.
Reach out to support@algosolutions.com to get the complete list of trusted certificate authorities loaded from
factory.
For SIP TLS, if the 'Validate Server Certificate' option is enabled in Advanced Settings → Advanced SIP tab, then the
device will validate the SIP server against common certificate authorities. To validate against additional certificates,
use the System → File Manager tab to upload a Base64 encoded X.509 certificate file in .pem, .cer, or .crt format to
the 'certs/trusted' folder.
For Provisioning, if HTTPS is selected and the 'Validate Server Certificate' option is enabled in the Advanced Settings
→ Provisioning tab, then the device will validate the server against common certificate authorities. To validate against
additional certificates, use the System → File Manager tab to upload a Base64 encoded X.509 certificate file in .pem,
.cer, or .crt format to the 'certs/trusted' folder.
4.8.2 HTTPS Provisioning
Provisioning can be secured by setting the ‘Download Method’ to ‘HTTPS’ (under the Advanced Settings →
Provisioning tab). This prevents configuration files from being read by an unwanted third-party. This resolves the
potential risk of having sensitive data stolen, such as admin passwords and SIP credentials.
To Next Page
Loading...
