User's Manual
Certificate installation 455
The file signing certificate requires the following minimum attributes
•
Version—3
• Key Usage—Digital signature
•
Extended Key Usage—Code signing, secure e-mail
• Key—1024 bits
In addition, the Signing Certificate cannot be a self-signed root certificate
and must have a valid Subject Key Identifier and an Authority Key Identifier
(which uniquely identifies the issuing certificate).
Certificate authority requirements
You can use many commercial CAs, Open source CAs, such as OpenSSL,
and EJBCA to create and manage these certificates. The CA must meet
the following requirements:
• The root certificate must be exportable in PEM format without the
private key.
• The CA must be capable of issuing a Signing Certificate with the above
attributes and an exportable private key.
This requirement can require additional CA configuration. Often in
commercial CAs the private key is not exportable by default. However,
the Signing Certificate private key only required if the CA does not
provide built-in support for the creation of detached PKCS7 signatures.
Signed file structure
A signed file consists of the following two parts
•
original unsigned file content
•
digital signature
The two parts are appended together with the original unsigned file content
first, followed by the digital signature.
The signature must be in the form of a PKCS7 detached signature of the
file in PEM format. A detached signature is a signature that does not
embed the content that is signed. Figure 82 "Signed certificate file" (page
456) provides an example of a signed file.
ATTENTION
Do not insert additional characters between the two parts. Otherwise the
validation fails.
Nortel Communication Server 1000
IP Phones Fundamentals
NN43001-368 05.06 30 April 2010
Copyright © 2003-2010 Nortel Networks. All Rights Reserved.
.