User`s manual

ManualsBrandsAudioCodes ManualsComputer equipmentMP-1FXO

291

292

293

294

295

296

297

298

299

300

MediaPack

SIP User's Manual 292 Document #: LTRT-65408

12.2.5 Client Certificates

By default, Web servers using SSL provide one-way authentication. The client is certain

that the information provided by the Web server is authentic. When an organizational PKI is

used, two-way authentication may be desired: both client and server should be

authenticated using X.509 certificates. This is achieved by installing a client certificate on

the managing PC, and loading the same certificate (in base64-encoded X.509 format) to

the MediaPack Trusted Root Certificate Store. The Trusted Root Certificate file should

contain both the certificate of the authorized user and the certificate of the CA.

Since X.509 certificates have an expiration date and time, the MediaPack must be

configured to use NTP (Section 9.7 on page 253) to obtain the current date and time.

Without a correct date and time, client certificates cannot work.

To install a client certificate, take these 6 steps:

1. Before continuing, set HTTPSOnly = 0 to ensure you have a method of accessing the

device in case the client certificate doesn’t work. Restore the previous setting after

testing the configuration.

2. Open the ‘Certificates’ screen (Advanced Configuration menu > Security Settings

submenu > Certificates option); the ‘Certificates’ screen is displayed (Figure 12-9).

3. To load the Trusted Root Certificate file locate the trusted root certificate loading

section.

4. Click Browse, and navigate to the file, and then click Send File.

5. When the operation is completed, set the ini file parameter,

HTTPSRequireClientCertificates = 1.

6. Save the configuration (Section 5.10.2 on page 205) and restart the MediaPack.

When a user connects to the secure Web server:

 If the user has a client certificate from a CA listed in the Trusted Root Certificate file,

the connection is accepted and the user is prompted for the system password.

 If both the CA certificate and the client certificate appear in the Trusted Root

Certificate file, the user is not prompted for a password (thus providing a single-sign-

on experience - the authentication is performed using the X.509 digital signature).

 If the user doesn’t have a client certificate from a listed CA, or doesn’t have a client

certificate at all, the connection is rejected.

Notes:

• The process of installing a client certificate on your PC is beyond the

scope of this document. For more information, refer to your Web

browser or operating system documentation, and/or consult your

security administrator.

• The root certificate can also be loaded via ini file using the

parameter ‘HTTPSRootFileName’.