Certificates

By using certificates you can use SIP TLS (Transport Layer Security) encrypting your SIP traffic. Certificates are used to verify the other end of a SIP connection is a known user, not an imposter.

The Internet Gate can use certificates created by other authorities, create its own certificates, or even create certificates for clients connecting to it.

:!: WARNING! All certificates are erased upon reset to factory defaults!
To avoid loosing your certificates make sure you make a backup copy using the Backup to file button on the Administration page.

You can access the SIP Certificates page by clicking the Certificates link at the bottom of the SIP page.

SIP Certificates in rel 5.30

Own and trusted certificates

There are two groups of certificates:

Own certificates are your own certificates that you can give to other SIP TLS clients, or use to sign certificates with. You use them to identify yourself to the remote client by presenting to it the certificate you once have given a copy of to it.

Trusted certificates are certificates that you have received from other SIP TLS clients. You use them to verify a connecting client's identity – if it is a valid client then it will use the same certificate you once have received from it.

Certificate authorities

You can either buy your certificates from external certificate authorities or make your own.

Both methods are equally secure, but using external certificate authorities makes certificates more traceable. Usually larger corporations demand use of certificate authorities, while a small company might just as well use self-signed certificates.

Certificate exchange

To set up a SIP TLS connection that uses certificates the two SIP TLS clients need to exchange certificates with each other. The certificate exchange is off-media – the certificates stored in files and exchanged between the clients using disc, USB memory stick or e-mail (not recommended) long time prior they connect for the first time (days or weeks before).

Certificate Bundle

To simplify managing a SIP TLS infrastructure where the Internet Gate is a SIP TLS server you can create Certificate Bundles. Then clients don't need to send their certificates to the Internet Gate server – it generates a suitable certificate for them and packs it together with its own public certificate into one single file to be loaded into the clients.

Own certificates

These are your own certificates that you can give to other SIP TLS clients, or use to sign certificates with. You use them to identify yourself to the remote client by presenting to it the certificate you once have given a copy of to it.

You can either create your own certificate, or import one created by some other certificate authority.

Most users only need one own certificate that is used for all SIP TLS connections. You are however free to create/import multiple certificates if needed.

:!: TLS is configured automatically on every network interface of Internet Gate if any certificates has been installed in it. This configuration can be overridden on the Advanced SIP Settings page.

Create your own certificate

You can create your own self-signed certificate using the Create button on the Certificate manager page.

In the window that appears you enter details about the certificate:

Subject name - (mandatory) unique, descriptive name of the person or purpose the certificate is for.

Organisation - (optional) organization the certificate is for. (For example your company.)

Organisation unit - (optional) organization unit the certificate is for. (For example your department.)

DNS name - (optional) DNS domain the certificate is for. (For example your dynDNS domain.)

E-mail - (optional) e-mail address of contact person for the certificate.

IP Address - (optional) IP address the certificate is for.

The signature algorithm used should be RSA/SHA1 for almost all users, except if the remote client has specifically requested DSS signatures.

The created self signed certificate and private key are stored in your Internet Gate. You are strongly recommended to immediately create a backup copy of them using the Backup to file button on the Administration page.
:!: Certificates are erased by reset to factory defaults!

You give away your own certificate to whoever remote SIP TLS client you want to call or want to be able to be called by. The Export button next to your certificate on the Certificate manager page creates a file containing your certificate that you can give away. (It does not contain your private key, as you should never give away your private key.)

The created file is of suitable format for importing into most common SIP TLS clients.

sip/certificates.txt · Last modified: 2010/11/19 10:59 by tibor
CC Attribution-Noncommercial-Share Alike 3.0 Unported
www.chimeric.de Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0