User`s manual

ManualsBrandsAudioCodes ManualsNetworkingMediant 1000

331

332

333

334

335

336

337

338

339

340

Mediant 1000

H.323 User's Manual 332 Document #: LTRT-83401

4. Copy this text and send it to your security provider; the security provider (also known

as Certification Authority or CA) signs this request and send you a server certificate for

the device.

5. Save the certificate in a file (e.g., cert.txt). Ensure the file is a plain-text file with the

‘BEGIN CERTIFICATE’ header. The figure below is an example of a Base64-Encoded

X.509 Certificate.

Figure 13-10: Example of a Base64-Encoded X.509 Certificate

-----BEGIN CERTIFICATE-----

MIIDkzCCAnugAwIBAgIEAgAAADANBgkqhkiG9w0BAQQFADA/MQswCQYDVQQGEwJG

UjETMBEGA1UEChMKQ2VydGlwb3N0ZTEbMBkGA1UEAxMSQ2VydGlwb3N0ZSBTZXJ2

ZXVyMB4XDTk4MDYyNDA4MDAwMFoXDTE4MDYyNDA4MDAwMFowPzELMAkGA1UEBhMC

RlIxEzARBgNVBAoTCkNlcnRpcG9zdGUxGzAZBgNVBAMTEkNlcnRpcG9zdGUgU2Vy

dmV1cjCCASEwDQYJKoZIhvcNAQEBBQADggEOADCCAQkCggEAPqd4MziR4spWldGR

x8bQrhZkonWnNm`+Yhb7+4Q67ecf1janH7GcN/SXsfx7jJpreWULf7v7Cvpr4R7qI

JcmdHIntmf7JPM5n6cDBv17uSW63er7NkVnMFHwK1QaGFLMybFkzaeGrvFm4k3lR

efiXDmuOe+FhJgHYezYHf44LvPRPwhSrzi9+Aq3o8pWDguJuZDIUP1F1jMa+LPwv

REXfFcUW+w==

-----END CERTIFICATE-----

6. Before continuing, set the parameter HTTPSOnly = 0 to ensure you have a method of

accessing the device in case the new certificate doesn’t work. Restore the previous

setting after testing the configuration.

7. In the Certificates screen (Figure 13-9) locate the server certificate loading section.

8. Click Browse, navigate to the cert.txt file, and then click Send File.

9. When the operation is completed, save the configuration (Section 5.9.2 on page 193)

and restart the Mediant 1000; the Embedded Web Server uses the provided

certificate.

Notes:

• The certificate replacement process can be repeated when necessary

(e.g., the new certificate expires).

• It is possible to use the IP address of the Mediant 1000 (e.g., 10.3.3.1)

instead of a qualified DNS name in the Subject Name. This practice is

not recommended since the IP address is subject to changes and may

not uniquely identify the device.

• The server certificate can also be loaded via ini file using the

parameter ‘HTTPSCertFileName’.

13.2.4 Client Certificates

By default, Web servers using SSL provide one-way authentication. The client is certain

that the information provided by the Web server is authentic. When an organizational PKI is

used, two-way authentication may be desired: both client and server should be

authenticated using X.509 certificates. This is achieved by installing a client certificate on

the managing PC, and loading the same certificate (in base64-encoded X.509 format) to

the Mediant 1000 Trusted Root Certificate Store. The Trusted Root Certificate file should

contain both the certificate of the authorized user and the certificate of the CA.

Since X.509 certificates have an expiration date and time, the Mediant 1000 must be

configured to use NTP (Section 9.8 on page 285) to obtain the current date and time.

Without a correct date and time, client certificates cannot work.