ContentsPrint

Certificates

Navigation: Security Manager > Certificates

Services between the system and applications may, depending on the settings of the service being used for the connection, require the exchange of security certificates. The system can either generate its own certificate or certificates provided from a trusted source can be loaded.

warningWarning

The process of 'on-boarding' (see IP Office SSL VPN Solutions Guide) automatically adds a certificate for the SSL VPN to the system's security settings when the on-boarding file is uploaded to the system. Care should be taken not to delete such certificates except when advised by Avaya.

Field Description
Identity Certificate:

The Identity Certificate is an X.509v3 certificate that identifies the system to a connecting client device (usually a PC running a application). This certificate is offered in the TLS exchange when the system is acting as a TLS server, which occurs when accessing a secured service. An identity certificate can also be used when IPOffice acts as TLS client and the TLS server requires IPOffice to send client certificate.

By default, the system's own self-generated certificate is used. A certificate is advertised when the Service Security Level is set to a value other than Unsecure Only. The certificate can take up to one minute to generate. During this time, normal system operation is suspended. You can regenerate the certificate by clicking Delete. Regenerating a certificate may impact system performance. Perform this action during a maintenance window.

Use the Set command to replace the system generated certificate with an external certificate.

Offer Certificate Default = On.

This is a fixed value for indication purposes only. This sets whether the system will offer a certificate in the TLS exchange when the IP Office is acting as a TLS server, which occurs when accessing a secured service.

Offer ID Certificate Chain Default = Off.

When set to On, this setting instructs IP Office to advertise a chain of certificates in the TLS session establishment. The chain of certificates is built starting with the identity certificate and adding to the chain all certificates it can find in the IP Office Trusted Certificate Store based on the Common Name found in the "Issued By" Subject Distinguished Name field in each of the certificates in the chain. If the Root CA certificate is found in the IP Office Trusted Certificate Store, it will be included in the chain of certificates. A maximum of six certificates are supported in the advertised chain of certificates.

Signature Default = SHA256/RSA2048.

This setting configures both the signature algorithm and the RSA key length to use when generating the IP Office identity certificate. The options are:

  • SHA256/RSA2048

  • SHA1/RSA1024

If any other combinations are needed, the Security Administrator will need to construct the IP Office identity certificate outside of Manager and use the Set action to install it.

Private Key Default = System generated random value. A blank field is displayed.

Use this field to enter a private key. If you set a private key, it is only used in the case of self-signed certificates. To set the private key, you must click Delete to generate a new certificate.

Issued to Default = IP Office identity certificate.

Common name of issuer in the certificate.

Default Subject Name Default = None.
Subject Alternative Name(s) Default = None.
Set Set the current certificate and associated private key. The certificate and key must be a matching pair. The source may be
  • Current User Certificate Store.

  • Local Machine Certificate Store.

  • File in the PKCS#12 (.pfx) format

  • Pasted from clipboard in PEM format, including header and footer text.

    This method must be used for PEM (.cer) and password protected PEM (.cer) files. The identity certificate requires both the certificate and private key. The .cer format does not contain the private key. For these file types select Paste from clipboard and then copy the certificate text and private key text into the Certificate Text Capture window.

IP Office supports certificates with RSA key sizes of 1024, 2048 and 4096 bits. The use of RSA key size 4096 may impact system performance. The recommended key size is 2048.

IP Office supports signature algorithms of SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512. Using signature size larger than SHA-256 may impact system performance. The recommended signature algorithm is SHA-256.

Using a file as the certificate source

In Manager, when using the file option, the imported "p12" "pfx" or "cer" file for setting the identity certificate can only contain the private key and identity certificate data. It cannot contain additional Intermediate CA certificates or the Root CA certificate. The Intermediate CA certificates or the Root CA certificate must be imported separately in the IP Office Trusted Certificate Store.

This does not apply to Web Manager.

noteNote

Web Manager does not accept the file of type "cer" with extension ".cer". This file type can only be used in Manager.

View View the current certificate. The certificate (not the private key) may also be installed into the local PC certificate store for export or later use when running the manager in secured mode.
Delete Deletes the current certificate and the system generates a new certificate. This can take up to one minute to generate. During this time, normal system operation is suspended.

Regenerating a certificate may impact system performance. Perform this action during a maintenance window.

 
Use Different Identity Certificate for Telephony Default = Off.

When set to Off, all secure communications use the default identity certificate and settings.

When set to On, telephony related secure communications use a separate identity certificate that must by set by the Security Administrator.

Received Certificate Checks (Management Interface) Default = None.

This setting is used configuration administration connections to the system by applications such as Manager. When the Service Security Level of the service being used is set to High, a certificate is requested by the system. The received certificate is tested as follows:

  • None: No extra checks are made (The certificate must be in date).

  • Low: Certificate minimum key size 1024 bits, in date.

  • Medium: Certificate minimum key size 1024 bits, in date, match to store.

  • High: Certificate minimum key size 2048 bits, in date, match to store, no self signed, no reflected, chain validation.

Received Certificate Checks (Telephony Endpoints) Default = None.

This setting is used with IP telephony endpoints connecting to the system.

This setting is used by IP Office to validate the identity certificate offered by the other end of TLS connection. IP Office does not support mutual authentication for SIP terminals (an identity certificate is not installed in all SIP terminals). Therefore, IP Office does not require a client certificate from a SIP terminal, only SIP and SM trunks.

The received certificate is tested as follows:

  • None: No extra checks are made (The certificate must be in date).

  • Low: Certificate minimum key size 1024 bits, in date.

  • Medium: Certificate minimum key size 1024 bits, in date, match to store.

  • High: Certificate minimum key size 2048 bits, in date, match to store, no self signed, no reflected, chain validation.

Trusted Certificate Store: Installed Certificates Default = A set of fixed Avaya provided Intermediate CA or Root CA certificates.

The certificate store contains a set of trusted certificates used to evaluate received client certificates. Up to 25 X.509v3 certificates may be installed. The source may be:

  • Current User Certificate Store.

  • Local Machine Certificate Store.

  • File in one of the following formats:
    • PKCS#12 (.pfx)

    • PEM (.cer)

    • password protected PEM (.cer)

    • DER (.cer)

    • password protected DER (.cer)

  • Pasted from clipboard in PEM format, including header and footer text.

Add Set the current certificate and associated private key. The certificate and key must be a matching pair. The source may be:
  • Current User Certificate Store.

  • Local Machine Certificate Store.

  • File in one of the following formats:
    • PEM (.cer)

    • password protected PEM (.cer)

    • DER (.cer)

    • password protected DER (.cer)

  • Pasted from clipboard in PEM format, including header and footer text.

    This method must be used for PKCS#12 (.pfx) files. The PKCS#12 (.pfx) format contains a private key and a trusted certificate cannot contain a private key. For this file type, select Paste from clipboard and then copy the certificate text into the Certificate Text Capture window.

IP Office supports certificates with RSA key sizes of 1024, 2048 and 4096 bits. The use of RSA key size 4096 may impact system performance. The recommended key size is 2048.

IP Office supports signature algorithms of SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512. Using signature size larger than SHA-256 may impact system performance. The recommended signature algorithm is SHA-256.

View View the current certificate. The certificate (not the private key) may also be installed into the local PC certificate store for export or later use when running the manager in secured mode.
Delete Delete the current certificate.
 
SCEP Settings

The Simple Certificate Enrollment Protocol is a protocol intended to ease the issuing of certificates in a network where numerous devices are using certificates. Rather than having to individually administer the certificate being used by each device, the devices can be configured to request a certificate using SCEP.

These settings are relevant for IP Office Branch deployments.

These settings are not used in IP Office Standard mode.

Active Default = Off.
Request Interval (seconds) Default = 120 seconds. Range = 5 to 3600 seconds.
SCEP Server IP/Name Default = Blank.
SCEP Server Port Default = 80 for HTTP and 443 for HTTPS.
SCEP URI Default = /ejbca/publicweb/apply/scep/pkiclient.exe
SCEP Password Default = Blank.