26/1531-ANF 901 14 Uen S 2019-10-18 78
A
PPENDIX
Note: Keep the shell open. We will use it for openssl commands from time to time in
this chapter.
3. Now, generate the TLS cert request on the SBC, which shall be signed by CA on
openssl to be the Server certificate, when imported back to the SBC.
Logon to InGate as Admin via webbrowser (if you open the browser on the linux
machine it is easier to download and upload files later) and go to
Basic Configuration->Certificates->Private Certificates: <Create New>
Name: TLS-CA_SIGNED
CN: <public IP address of the SBC> --> Create an X.509 certificate request
4. Download the output, certreq.req, to etc/pki/sbc
5. Sign the TLS request using the CA
>openssl x509 -req -in certreq.req -out sbccert.pem -CAkey
private/cakey.pem -days 3650 -CAcreateserial -CAserial ca.seq
Output: signed server certificate, sbccert.pem
6. On Ingate web, import the signed server certificate.
Go to Basic Configuration->Certificates-> <import> and upload “sbccert.pem”
--> Ingate should show “certificate has been imported”
Note: This certificate shall now be used in the rules on what to authenticate to.
7. Go to SIP Services->Signaling Encryption: TLS CA Certificates.
8. Enable Client Certificate Check on SBC (mutual Authentication).
9. Go to SIP Services->Signaling Encryption:TLS Connections On Different IP
Address,
IP: outside (IP equal to CN in sbccert.pem), Own Certificate: the label name for
sbccert.pem
Use CN FQDN:No
Require Client Cert:Yes
Accept Methods: TLSv1
10. Generate a phone certificate (client certificate) and sign it by CA.First TLS cert
request is created and then it is signed by the CA
>openssl req -new -newkey rsa:1024 -out phone_csr.pem -nodes
-keyout private/phonekey.pem -days 3650 [answer cert questions
accordingly]CN: Mitel IP Phone
>openssl x509 -req -in phone_csr.pem -out phonecert.pem -CA
CA.pem -CAkeyprivate/cakey.pem -days 3650 -CAcreateserial -CAse-
rial ca.seq
21.1.2 CONFIGURE THE PHONES TO USE PERSISTENT MTLS
Copy the following certificate related files from the openssl (Enterprise CA) to the
phones’ Configuration Management path i.e. the same place as where the
aastra.cfg/startup.cfg is stored. When following the in chapter 19.5 How to enable
security for home worker on Mitel 6700, 6800 and 6900 on page 72, the path would be
to /atHome.
CA.pem - public CA signing phonecert.pem
phonecert.pem - signed client certificate
To Next Page
Loading...
