User`s manual

ManualsBrandsAudioCodes ManualsAcousticsMEDIAPACK VERSION 6.2

211

212

213

214

215

216

217

218

219

220

MediaPack SIP

MediaPack SIP User’s Manual 216 Document #: LTRT-65405

Note 1: The certificate replacement process can be repeated when necessary (e.g.,

the new certificate expires).

Note 2: It is possible to use the IP address of the MP-11x (e.g., 10.3.3.1) instead of a

qualified DNS name in the Subject Name. This practice is not recommended

since the IP address is subject to changes and may not uniquely identify the

device.

Note 3: The server certificate can also be loaded via ini file using the parameter

‘HTTPSCertFileName’.

12.1.5 Client Certificates

By default, Web servers using SSL provide one-way authentication. The client is certain that the

information provided by the Web server is authentic. When an organizational PKI is used, two-

way authentication may be desired: both client and server should be authenticated using X.509

certificates. This is achieved by installing a client certificate on the managing PC, and loading the

same certificate (in base64-encoded X.509 format) to the MP-11x Trusted Root Certificate Store.

The Trusted Root Certificate file should contain both the certificate of the authorized user and the

certificate of the CA.

Since X.509 certificates have an expiration date and time, the MP-11x must be configured to use

NTP (Section

9.5 on page 194) to obtain the current date and time. Without a correct date and

time, client certificates cannot work.

¾ To install a client certificate, take these 6 steps:

1. Before continuing, set HTTPSOnly = 0 to ensure you have a method of accessing the device

in case the client certificate doesn’t work. Restore the previous setting after testing the

configuration.

2. Access the following URL (case-sensitive):

https:// [host name] or [IP address]/SSLCertificateSR; the Certificate Signing Request screen

is displayed (Figure

12-2).

3. To load the Trusted Root Certificate file locate the trusted root certificate loading section.

4. Click Browse and navigate to the file, click Send File.

5. When the operation is completed, set the ini file parameter, HTTPSRequireClientCertificates

= 1.

6. Save the configuration (Section

5.9 on page 161) and restart the MP-11x.

When a user connects to the secure Web server:

• If the user has a client certificate from a CA listed in the Trusted Root Certificate file, the

connection is accepted and the user is prompted for the system password.

• If both the CA certificate and the client certificate appear in the Trusted Root Certificate file,

the user is not prompted for a password (thus providing a single-sign-on experience - the

authentication is performed using the X.509 digital signature).

• If the user doesn’t have a client certificate from a listed CA, or doesn’t have a client

certificate at all, the connection is rejected.

Note 1: The process of installing a client certificate on your PC is beyond the scope

of this document. For more information, refer to your Web browser or

operating system documentation, and/or consult your security administrator.

Note 2: The root certificate can also be loaded via ini file using the parameter

‘HTTPSRootFileName’.