meta data for this page
  •  

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
7.ip_phone:features_and_configurations:how_to_setup_tls [2019/01/29 17:44]
inn
— (current)
Line 1: Line 1:
-====== How to setup TLS configuration ====== 
-===== About This Manual ===== 
-<fs medium><​ff sans-serif>​This manual introduces how to apply TSL certificates to Akuvox IP Phone, and provides a sample of generating and uploading certificates to server and IP Phone step by step. 
-The manual is applicable to Akuvox R5X,R6X with the firmware version 5.0 or later.</​ff></​fs> ​ 
- 
-===== Introduction ===== 
-<fs medium><​ff sans-serif>​Since there is no specific security protocols for SIP, similar to HTTPS and FTPS, we usually encrypt the protocol with TLS to ensure the transmission security of SIP messages. The main working process of TLS includes establish network-connection,​ select the encryption and compression method relate to the connection, recognize bilateral identities, confirm the password of this transmission,​ encrypted data transmission and close the connection. (For more details, please refers to https://​en.wikipedia.org/​wiki/​Public_key_certificate#​TLS_version_1.1) 
-In the encryption protocols of network communication,​ a digital certificate is required for providing the public key and private key to transmit the encrypted informations or decrypt received informations. During the handshaking process of TLS, the client has to negotiate the keys, encryption algorithm and so on with the server, the server has to send its certificate to client for identification. ​ 
-The Akuvox IP Phone (consult us for firmware version) supports TLS v1.0 transmission and X.509 certificate standard, users can enable or disable the connection with the server which used un-trusted certificates.</​ff></​fs>​ 
-\\ 
- 
-===== Configuration ===== 
-<fs medium><​ff sans-serif>​There are five steps to configure TLS: \\ 
-\\ 
-1.Make the certificate of CA and client; \\ 
-\\ 
-2.Install CA on the server;\\ 
-\\ 
-3.Configure the TLS (or HTTPS) settings of server, e.g., Transmission mode, Port number, TLS method, authentication method and so on;\\ 
-\\ 
-4.Upload CA certificate to IP Phone client;\\ 
-\\ 
-5.Fill in the SIP accounts and enable TLS of IP Phone.\\ 
-\\ 
-(Step 1~3 please refers to the appendix)</​ff></​fs>​ 
-\\ 
- 
-===== Upload CA Certificate to IP Phone ===== 
-<fs medium><​ff sans-serif>​1.Login the webpage of IP Phone, go to the path “Security -> Advanced.</​ff>​”</​fs>​ 
-{{ :​7.ip_phone:​features_and_configurations:​ad.png?​nolink&​600 |}} 
- 
-<fs medium><​ff sans-serif>​2.Click “Browse” under “Client Certificate Upload.”</​ff></​fs>​ 
-{{ :​7.ip_phone:​features_and_configurations:​broswer.png?​nolink&​600 |}} 
- 
-<fs medium><​ff sans-serif>​3.Select the local certificate(Usually *.pem, *.crt, *.cer, *.der).</​ff></​fs>​ 
-{{ :​7.ip_phone:​features_and_configurations:​select_file.png?​nolink&​600 |}} 
- 
-<fs medium><​ff sans-serif>​4.Click “Submit” to upload the certificate. The IP Phone supports 10 certificates.</​ff></​fs>​ 
-{{ :​7.ip_phone:​features_and_configurations:​submit.png?​nolink&​600 |}} 
-<​note>​IP Phone supports “Only Accept Trusted Certificates,​” IP Phone would be forced to accept all certificates when disabled; if enabled, the IP Phone would only accept trusted certificates in the list.</​note>​ 
-{{ :​7.ip_phone:​features_and_configurations:​图片1aa.png?​nolink&​600 |}} 
- 
-===== Enable TLS of IP Phone ===== 
-<fs medium><​ff sans-serif>​1.Login the IP Phone on webpage, go to the path “Account -> Basic.”</​ff></​fs>​ 
-{{ :​7.ip_phone:​features_and_configurations:​account.png?​nolink&​600 |}} 
-<fs medium><​ff sans-serif>​2.Select “TLS” in “Transport Type” and submit.</​ff></​fs>​ 
-{{ :​7.ip_phone:​features_and_configurations:​transport.png?​nolink&​600 |}} 
- 
- 
-===== Appendix:​SIP-TLS Configuration Sample ===== 
-<​note>​ MyPBX is used in the sample, different PBX may have different process.</​note>​ 
-==== Make Certificate ==== 
-<fs medium><​ff sans-serif>​Use the tool “openssl” based on LINUX to make private CA certificate.</​ff></​fs>​ \\ 
-\\ 
-<fs medium><​ff sans-serif>​1.Create the key file of root certificate(self certificate) : root.key</​ff></​fs>​ \\ 
-\\ 
-<fs medium><​ff sans-serif>​**Command:​**</​ff></​fs>​ 
-<ff sans-serif><​fs medium>​openssl genrsa -out root.key 1024</​fs></​ff>​ \\ 
-\\ 
-<ff sans-serif><​fs medium>​**Sample:​**</​fs>​ 
-</ff> 
-<​file>​ 
-root@ubuntu-64bit:/​home/​work/​CA#​ openssl genrsa -out root.key 1024 
-Generating RSA private key, 1024 bit long modulus 
-...........................................................................................+++ 
-..........................................+++ 
-e is 65537 (0x10001) 
- 
-</​file>​ 
- 
-\\ 
-<fs medium><​ff sans-serif>​2.Create the application file of root certificate : root.csr</​ff></​fs>​ \\ 
-\\ 
-<fs medium><​ff sans-serif>​**Command:​**</​ff></​fs>​ 
-<fs medium><​ff sans-serif>​openssl req -new -key root.key -out root.csr</​ff></​fs>​ \\ 
-\\ 
-<fs medium><​ff sans-serif>​**Sample:​**</​ff></​fs>​ \\ 
- 
-<​file>​ 
-root@ubuntu-64bit:/​home/​work/​CA#​ openssl req -new -key root.key -out root.csr 
-You are about to be asked to enter information that will be incorporated 
-into your certificate request. 
-What you are about to enter is what is called a Distinguished Name or a DN. 
-There are quite a few fields but you can leave some blank 
-For some fields there will be a default value, 
-If you enter '​.',​ the field will be left blank. 
------ 
-Country Name (2 letter code) [AU]:CN 
-State or Province Name (full name) [Some-State]:​FJ 
-Locality Name (eg, city) []:XM 
-Organization Name (eg, company) [Internet Widgits Pty Ltd]:Akuvox 
-Organizational Unit Name (eg, section) []:Akuvox 
-Common Name (eg, server FQDN or YOUR name) []:​Akuvox_CA 
-Email Address []:​support@akuvox.com 
- 
-Please enter the following '​extra'​ attributes 
-to be sent with your certificate request 
-A challenge password []:123456 
-An optional company name []: 
-root@ubuntu-64bit:/​home/​work/​CA#​ 
-</​file>​ 
- 
- 
-<fs medium><​ff sans-serif>​3.Create a 10-year valid root certificate from current data : root.crt</​ff></​fs>​ \\ 
-\\ 
-<fs medium><​ff sans-serif>​**Command:​**</​ff></​fs> ​ 
-<fs medium>​openssl x509 -req -days 3650 -sha1 -extensions v3_ca -signkey root.key -in root.csr -out root.crt</​fs>​ \\ 
-\\ 
-<fs medium><​ff sans-serif>​**Sample:​**</​ff></​fs>​ 
-<​file>​ 
-root@ubuntu-64bit:/​home/​work/​CA#​ openssl x509 -req -days 3650 -sha1 -extensions v3_ca -signkey root.key -in root.csr -out root.crt 
-Signature ok 
-subject=/​C=CN/​ST=FJ/​L=XM/​O=Akuvox/​OU=Akuvox/​CN=Akuvox/​emailAddress=support@akuvox.com 
-Getting Private key 
-</​file>​ 
- 
-<fs medium><​ff sans-serif>​4.Create the server certificate:​ server.key</​ff></​fs>​\\ 
-\\ 
-<fs medium><​ff sans-serif>​**Command:​**</​ff></​fs>​ 
-<ff sans-serif><​fs medium>​Openssl genrsa -out server.key 1024</​fs></​ff>​\\ 
-\\ 
-<fs medium><​ff sans-serif>​**Sample:​**</​ff></​fs>​ 
-<​file>​ 
-root@ubuntu-64bit:/​home/​work/​CA#​ openssl genrsa -out server.key 1024 
-Generating RSA private key, 1024 bit long modulus 
-......++++++ 
-.++++++ 
-e is 65537 (0x10001) 
-root@ubuntu-64bit:/​home/​work/​CA#​ 
-</​file> ​ 
- 
-<fs medium><​ff sans-serif>​5.Create the application file of server certificate:​ server.csr(Generate Certificate Signing Request(CSR)which would convert to server’s own certificate once signed by CA, input private informations following the tips)</​ff></​fs>​ \\ 
-\\ 
-<fs medium><​ff sans-serif>​**Command:​**openssl req -new -key server.key -out server.csr</​ff></​fs>​ \\ 
-\\ 
-<fs medium><​ff sans-serif>​**Sample:​**</​ff></​fs>​ 
-<​file>​ 
-root@ubuntu-64bit:/​home/​work/​CA#​ openssl req -new -key server.key -out server.csr 
-You are about to be asked to enter information that will be incorporated 
-into your certificate request. 
-What you are about to enter is what is called a Distinguished Name or a DN. 
-There are quite a few fields but you can leave some blank 
-For some fields there will be a default value, 
-If you enter '​.',​ the field will be left blank. 
------ 
-Country Name (2 letter code) [AU]:CN 
-State or Province Name (full name) [Some-State]:​FJ 
-Locality Name (eg, city) []:XM 
-Organization Name (eg, company) [Internet Widgits Pty Ltd]:Akuvox 
-Organizational Unit Name (eg, section) []: 
-Common Name (e.g. server FQDN or YOUR name) []:​192.168.10.16 
-Email Address []:​support@Akuvox.com 
- 
-Please enter the following '​extra'​ attributes 
-to be sent with your certificate request 
-A challenge password []:12345678 
-An optional company name []: 
-root@ubuntu-64bit:/​home/​work/​CA#​ 
-</​file>​ 
-<note important>​There must have difference between the Common Name of Server’s and CA’s certificate.</​note>​ 
- 
-<fs medium><​ff sans-serif>​6.Create a 2-year valid server certificate from current data : server.crt.</​ff></​fs>​\\ 
-\\ 
-<fs medium><​ff sans-serif>​**Command:​**openssl x509 -req -days 730 -sha1 -extensions v3_req -CA root.crt -CAkey root.key -CAserial root.srl -CAcreateserial -in server.csr -out server.crt</​ff></​fs>​\\ 
-\\ 
-**<fs medium><​ff sans-serif>​Sample:</​ff></​fs>​** 
-<​file>​ 
-root@ubuntu-64bit:/​home/​work/​CA#​ openssl x509 -req -days 730 -sha1 -extensions v3_req -CA root.crt -CAkey root.key -CAserial root.srl -CAcreateserial -in server.csr -out server.crt 
-Signature ok 
-subject=/​C=CN/​ST=FJ/​L=XM/​O=Akuvox/​OU=Akuvox/​CN=Akuvox/​emailAddress=support@Akuvox.com 
-Getting CA Private Key 
-root@ubuntu-64bit:/​home/​work/​CA#​ 
-</​file>​ 
- 
-<note important>​root.crt should be uploaded to IP Phone(client),​ server.crt and server.key should be uploaded to server, use “cat” when .pem is required:​cat server.key server.crt > server.pem</​note>​ 
- 
-==== Upload the certificate to MyPBX ==== 
-<fs medium><​ff sans-serif>​1.Go to “PBX -> Advanced Settings->​Certificates,​” click “Upload Certificate.”</​ff></​fs>​ 
-{{ :​7.ip_phone:​features_and_configurations:​pbx.png |}} 
-{{ :​7.ip_phone:​features_and_configurations:​upload.png?​600 |}} 
- 
-<fs medium><​ff sans-serif>​2.Select the “Type” as “PBX Certificate,​” click “Browse” to choose “server.pem” for uploading and save.</​ff></​fs>​ 
-{{ :​7.ip_phone:​features_and_configurations:​type.png?​600 |}} 
-{{ :​7.ip_phone:​features_and_configurations:​pem.png?​600 |}} 
- 
-<fs medium><​ff sans-serif>​3.Restart the PBX to enable the certificates.</​ff></​fs>​ 
-\\ 
- 
-==== Configure the SIP settings of server ==== 
-<fs medium><​ff sans-serif>​1.Go to “Advanced Settings -> SIP Settings,​” enable TLS and set the TLS port, choose the authentication and transmission method and save</​ff>​.</​fs>​ 
-{{ :​7.ip_phone:​features_and_configurations:​sip_setting.png?​nolink&​600 |}} 
- 
-<fs medium><​ff sans-serif>​2.Go to “Line Status -> Extensions Statues,” click the account</​ff></​fs>​ 
-{{ :​7.ip_phone:​features_and_configurations:​status.png?​nolink&​600 |}} 
- 
-<fs medium><​ff sans-serif>​3.Select “TLS” for “Transport” in the VoIP settings and save. Click “Apply Changes” on the top right corner to take effect the configuration.</​ff></​fs>​ 
-{{ :​7.ip_phone:​features_and_configurations:​apply.png?​nolink&​600 |}} 
- 
-==== Upload the certificate to IP Phone ==== 
-{{ :​7.ip_phone:​features_and_configurations:​advance.png?​nolink&​600 |}} 
- 
-==== Configure the SIP account ==== 
-{{ :​7.ip_phone:​features_and_configurations:​tls.png?​nolink&​600 |}} 
-  
-