![]() | ![]() |
Navigation:
Services between the system and applications may, depending on the settings of the service being used for the connection, require the exchange of security certificates. The system can either generate its own certificate or certificates provided from a trusted source can be loaded.
![]() | Warning |
The process of 'on-boarding' (see IP Office SSL VPN Solutions Guide) automatically adds a certificate for the SSL VPN to the system's security settings when the on-boarding file is uploaded to the system. Care should be taken not to delete such certificates except when advised by Avaya. |
Field | Description | ||||
---|---|---|---|---|---|
Identity Certificate:
The Identity Certificate is an X.509v3 certificate that identifies the system to a connecting client device (usually a PC running a application). This certificate is offered in the TLS exchange when the system is acting as a TLS server, which occurs when accessing a secured service. An identity certificate can also be used when IPOffice acts as TLS client and the TLS server requires IPOffice to send client certificate. By default, the system's own self-generated certificate is used. A certificate is advertised when the Service Security Level is set to a value other than Unsecure Only. The certificate can take up to one minute to generate. During this time, normal system operation is suspended. You can regenerate the certificate by clicking Delete. Regenerating a certificate may impact system performance. Perform this action during a maintenance window. Use the Set command to replace the system generated certificate with an external certificate. |
|||||
Offer Certificate |
Default = On.
This is a fixed value for indication purposes only. This sets whether the system will offer a certificate in the TLS exchange when the IP Office is acting as a TLS server, which occurs when accessing a secured service. |
||||
Offer ID Certificate Chain |
Default = Off.
When set to On, this setting instructs IP Office to advertise a chain of certificates in the TLS session establishment. The chain of certificates is built starting with the identity certificate and adding to the chain all certificates it can find in the IP Office Trusted Certificate Store based on the Common Name found in the "Issued By" Subject Distinguished Name field in each of the certificates in the chain. If the Root CA certificate is found in the IP Office Trusted Certificate Store, it will be included in the chain of certificates. A maximum of six certificates are supported in the advertised chain of certificates. |
||||
Signature |
Default = SHA256/RSA2048.
This setting configures both the signature algorithm and the RSA key length to use when generating the IP Office identity certificate. The options are:
If any other combinations are needed, the Security Administrator will need to construct the IP Office identity certificate outside of Manager and use the Set action to install it. |
||||
Private Key |
Default = System generated random value. A blank field is displayed.
Use this field to enter a private key. If you set a private key, it is only used in the case of self-signed certificates. To set the private key, you must click Delete to generate a new certificate. |
||||
Issued to |
Default = IP Office identity certificate.
Common name of issuer in the certificate. |
||||
Default Subject Name | Default = None. | ||||
Subject Alternative Name(s) | Default = None. | ||||
Set |
Set the current certificate and associated private key. The certificate
and key must be a matching pair. The source may be
IP Office supports certificates with RSA key sizes of 1024, 2048 and 4096 bits. The use of RSA key size 4096 may impact system performance. The recommended key size is 2048. IP Office supports signature algorithms of SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512. Using signature size larger than SHA-256 may impact system performance. The recommended signature algorithm is SHA-256. Using a file as the certificate source: In Manager, when using the file option, the imported "p12" "pfx" or "cer" file for setting the identity certificate can only contain the private key and identity certificate data. It cannot contain additional Intermediate CA certificates or the Root CA certificate. The Intermediate CA certificates or the Root CA certificate must be imported separately in the IP Office Trusted Certificate Store. This does not apply to Web Manager.
|
||||
View | View the current certificate. The certificate (not the private key) may also be installed into the local PC certificate store for export or later use when running the manager in secured mode. | ||||
Delete |
Deletes the current certificate and the system generates a new
certificate. This can take up to one minute to generate. During this
time, normal system operation is suspended.
Regenerating a certificate may impact system performance. Perform this action during a maintenance window. |
||||
Use Different Identity Certificate for Telephony |
Default = Off.
When set to Off, all secure communications use the default identity certificate and settings. When set to On, telephony related secure communications use a separate identity certificate that must by set by the Security Administrator. |
||||
Received Certificate Checks (Management Interface) |
Default = None.
This setting is used configuration administration connections to the system by applications such as Manager. When the Service Security Level of the service being used is set to High, a certificate is requested by the system. The received certificate is tested as follows:
|
||||
Received Certificate Checks (Telephony Endpoints) |
Default = None.
This setting is used with IP telephony endpoints connecting to the system. This setting is used by IP Office to validate the identity certificate offered by the other end of TLS connection. IP Office does not support mutual authentication for SIP terminals (an identity certificate is not installed in all SIP terminals). Therefore, IP Office does not require a client certificate from a SIP terminal, only SIP and SM trunks. The received certificate is tested as follows:
|
||||
Trusted Certificate Store: Installed Certificates |
Default = A set of fixed Avaya provided Intermediate CA or Root
CA certificates.
The certificate store contains a set of trusted certificates used to evaluate received client certificates. Up to 25 X.509v3 certificates may be installed. The source may be:
|
||||
Add |
Set the current certificate and associated private key. The certificate
and key must be a matching pair. The source may be:
IP Office supports certificates with RSA key sizes of 1024, 2048 and 4096 bits. The use of RSA key size 4096 may impact system performance. The recommended key size is 2048. IP Office supports signature algorithms of SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512. Using signature size larger than SHA-256 may impact system performance. The recommended signature algorithm is SHA-256. |
||||
View | View the current certificate. The certificate (not the private key) may also be installed into the local PC certificate store for export or later use when running the manager in secured mode. | ||||
Delete | Delete the current certificate. | ||||
SCEP Settings
The Simple Certificate Enrollment Protocol is a protocol intended to ease the issuing of certificates in a network where numerous devices are using certificates. Rather than having to individually administer the certificate being used by each device, the devices can be configured to request a certificate using SCEP. These settings are relevant for IP Office Branch deployments. These settings are not used in IP Office Standard mode. |
|||||
Active | Default = Off. | ||||
Request Interval (seconds) | Default = 120 seconds. Range = 5 to 3600 seconds. | ||||
SCEP Server IP/Name | Default = Blank. | ||||
SCEP Server Port | Default = 80 for HTTP and 443 for HTTPS. | ||||
SCEP URI | Default = /ejbca/publicweb/apply/scep/pkiclient.exe | ||||
SCEP Password | Default = Blank. |