Manualshelf

Installation guide

ManualsBrandsAastra ManualsComputer equipment6700i Series
79808182838485868788
26/1531-ANF 901 14 Uen E10 2014-01-22 87
A
PPENDIX
Create a CA
>openssl genrsa -aes256 -out private/cakey.pem 1024
[password: test]
>openssl req -new -x509 -days 3650 -key private/cakey.pem
-out ca.pem -set_serial 1
[answer cert questions accordingly]
Keep the shell open. We will use it for openssl commands from time to
time in this chapter. Now, generate the TLS cert request on the SBC,
which shall be signed by CA on openssl to be the Server certificate,
when imported back to the SBC.
Logon to Ingate as Admin via webbrowser (if you open the browser on
the linux machine it is easier to download and upload files later) and go
to
Basic Configuration->Certificates->Private Certificates: <Create New>
- Name: TLS-CA_SIGNED
- CN: <public IP address of the SBC> --> Create an X.509 certificate
request
Download the output, certreq.req, to etc/pki/sbc
Sign the TLS request using the CA
>openssl x509 -req -in certreq.req -out sbccert.pem -CAkey
private/cakey.pem -days 3650 -CAcreateserial -CAserial
ca.seq
Output: signed server certificate, sbccert.pem
On Ingate web, import the signed server certificate. Go to
Basic Configuration->Certificates-> <import> and upload “sbccert.pem”
--> Ingate should show “certificate has been imported” This certifiate
shall now be used in the rules on what to authenticate to. Go to SIP
Services->Signaling Encryption: TLS CA Certificates.
Enable Client Certificate Check on SBC (mutual Authentication). Go to
SIP Services->Signaling Encryption:TLS Connections On Different IP
Address,
IP: outside (IP equal to CN in sbccert.pem),
Own Certificate: the label name for sbccert.pem
Use CN FQDN:No
Require Client Cert:Yes
Accept Methods: TLSv1
Generate a phone certificate (client certificate) and sign it by CA.First
TLS cert request is created and then it is signed by the CA
>openssl req -new -newkey rsa:1024 -out phone_csr.pem
-nodes -keyout private/phonekey.pem -days 3650
[answer cert questions accordingly]CN: Aastra IP Phone
>openssl x509 -req -in phone_csr.pem -out phonecert.pem -CA
ca.pem -CAkeyprivate/cakey.pem -days 3650 -CAcreateserial
-CAserial ca.seq