Implement X.509 Certificates for SIPS (TLS) Sessions
It's highly recommended to implement the X.509 certificate authentication mechanism for enhancing and strengthening TLS. X.509 is an ITU-T standard for Public Key Infrastructure (PKI).
The device supports the configuration of multiple TLS certificates, referred to as TLS Contexts. TLS Contexts are assigned to Proxy Sets and/or SIP Interfaces, thereby enabling specific calls to use specific TLS certificates.
The device is shipped with a working TLS configuration (TLS Context ID 0), consisting of a unique Self-Signed Server Certificate. Self-Signed Certificate is the simplest form of an X.509 Certificate that is issued by the device itself without the use of any certificate signer (CA). The Self-Signed Certificate consists of the Public Key of the device that is signed by the Private Key of the device itself. However, use of this certificate is strongly discouraged. The Self-Signed Certificate is typically used in testing environments or for a low-scale deployment where solution security may be sacrificed in favor of simplified configuration procedures. The Self-Signed Certificate does not utilize CA trust relationships and its authenticity cannot be reliably verified. Instead, you should establish a PKI for your organization (provided by your security administrator) and use certificates signed by genuine CAs.
In a typical PKI scheme, Certificates are issued by a CA and provide an attestation by the CA that the identity information and the public key belong together. Each party has a list of Trusted Root Certificates – certificates of the CAs (or their roots) that are well-known and trusted by the party. When the certificate from the other party is received, its signing entity (CA) is compared with the Trusted Root Certificates list and if a match is found, the certificate is accepted.
The device uses the following files to implement X.509 PKI:
| ■ | Private Key File: This file contains a private key that is used to perform decryption. It's the most sensitive part of security data and should never be disclosed to other entities. |
| ■ | Certificate File: This file contains a digital signature that binds together the Public Key with identity information. The Certificate may be issued by a CA or self-signed (issued by the device itself, which is not recommended – see above). |
| ■ | Trusted Root Certificate File: This file is the certificate of the Trusted Root CA used to authorize certificates received from remote parties, based on the identity of the CA that issued it. If the root certificate of this CA matches one of the Trusted Root Certificates, the remote party is authorized. |