meta data for this page
How to setup TLS configuration
About This Manual
This manual introduces how to apply TSL certificates to Akuvox IP Phone, and provides a sample of generating and uploading certificates to server and IP Phone step by step. The manual is applicable to Akuvox R5X,R6X with the firmware version 5.0 or later.
Introduction
Since there is no specific security protocols for SIP, similar to HTTPS and FTPS, we usually encrypt the protocol with TLS to ensure the transmission security of SIP messages. The main working process of TLS includes establish network-connection, select the encryption and compression method relate to the connection, recognize bilateral identities, confirm the password of this transmission, encrypted data transmission and close the connection. (For more details, please refers to https://en.wikipedia.org/wiki/Public_key_certificate#TLS_version_1.1)
In the encryption protocols of network communication, a digital certificate is required for providing the public key and private key to transmit the encrypted informations or decrypt received informations. During the handshaking process of TLS, the client has to negotiate the keys, encryption algorithm and so on with the server, the server has to send its certificate to client for identification.
The Akuvox IP Phone (consult us for firmware version) supports TLS v1.0 transmission and X.509 certificate standard, users can enable or disable the connection with the server which used un-trusted certificates.
Configuration
There are five steps to configure TLS:
1.Make the certificate of CA and client;
2.Install CA on the server;
3.Configure the TLS (or HTTPS) settings of server, e.g., Transmission mode, Port number, TLS method, authentication method and so on;
4.Upload CA certificate to IP Phone client;
5.Fill in the SIP accounts and enable TLS of IP Phone.
(Step 1~3 please refers to the appendix)
Upload CA Certificate to IP Phone
1.Login the webpage of IP Phone, go to the path “Security → Advanced.”
2.Click “Browse” under “Client Certificate Upload.”
3.Select the local certificate(Usually *.pem, *.crt, *.cer, *.der).
4.Click “Submit” to upload the certificate. The IP Phone supports 10 certificates.
Enable TLS of IP Phone
1.Login the IP Phone on webpage, go to the path “Account → Basic.”
2.Select “TLS” in “Transport Type” and submit.
Appendix:SIP-TLS Configuration Sample
Make Certificate
Use the tool “openssl” based on LINUX to make private CA certificate.
1.Create the key file of root certificate(self certificate) : root.key
Command:
openssl genrsa -out root.key 1024
Sample:
root@ubuntu-64bit:/home/work/CA# openssl genrsa -out root.key 1024 Generating RSA private key, 1024 bit long modulus ...........................................................................................+++ ..........................................+++ e is 65537 (0x10001)
2.Create the application file of root certificate : root.csr
Command:
openssl req -new -key root.key -out root.csr
Sample:
root@ubuntu-64bit:/home/work/CA# openssl req -new -key root.key -out root.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:FJ Locality Name (eg, city) []:XM Organization Name (eg, company) [Internet Widgits Pty Ltd]:Akuvox Organizational Unit Name (eg, section) []:Akuvox Common Name (eg, server FQDN or YOUR name) []:Akuvox_CA Email Address []:support@akuvox.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123456 An optional company name []: root@ubuntu-64bit:/home/work/CA#
3.Create a 10-year valid root certificate from current data : root.crt
Command:
openssl x509 -req -days 3650 -sha1 -extensions v3_ca -signkey root.key -in root.csr -out root.crt
Sample:
root@ubuntu-64bit:/home/work/CA# openssl x509 -req -days 3650 -sha1 -extensions v3_ca -signkey root.key -in root.csr -out root.crt Signature ok subject=/C=CN/ST=FJ/L=XM/O=Akuvox/OU=Akuvox/CN=Akuvox/emailAddress=support@akuvox.com Getting Private key
4.Create the server certificate: server.key
Command:
Openssl genrsa -out server.key 1024
Sample:
root@ubuntu-64bit:/home/work/CA# openssl genrsa -out server.key 1024 Generating RSA private key, 1024 bit long modulus ......++++++ .++++++ e is 65537 (0x10001) root@ubuntu-64bit:/home/work/CA#
5.Create the application file of server certificate: server.csr(Generate Certificate Signing Request(CSR)which would convert to server’s own certificate once signed by CA, input private informations following the tips)
Command:openssl req -new -key server.key -out server.csr
Sample:
root@ubuntu-64bit:/home/work/CA# openssl req -new -key server.key -out server.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:FJ Locality Name (eg, city) []:XM Organization Name (eg, company) [Internet Widgits Pty Ltd]:Akuvox Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:192.168.10.16 Email Address []:support@Akuvox.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:12345678 An optional company name []: root@ubuntu-64bit:/home/work/CA#
6.Create a 2-year valid server certificate from current data : server.crt.
Command:openssl x509 -req -days 730 -sha1 -extensions v3_req -CA root.crt -CAkey root.key -CAserial root.srl -CAcreateserial -in server.csr -out server.crt
Sample:
root@ubuntu-64bit:/home/work/CA# openssl x509 -req -days 730 -sha1 -extensions v3_req -CA root.crt -CAkey root.key -CAserial root.srl -CAcreateserial -in server.csr -out server.crt Signature ok subject=/C=CN/ST=FJ/L=XM/O=Akuvox/OU=Akuvox/CN=Akuvox/emailAddress=support@Akuvox.com Getting CA Private Key root@ubuntu-64bit:/home/work/CA#
Upload the certificate to MyPBX
1.Go to “PBX → Advanced Settings→Certificates,” click “Upload Certificate.”
2.Select the “Type” as “PBX Certificate,” click “Browse” to choose “server.pem” for uploading and save.
3.Restart the PBX to enable the certificates.
Configure the SIP settings of server
1.Go to “Advanced Settings → SIP Settings,” enable TLS and set the TLS port, choose the authentication and transmission method and save.
2.Go to “Line Status → Extensions Statues,” click the account
3.Select “TLS” for “Transport” in the VoIP settings and save. Click “Apply Changes” on the top right corner to take effect the configuration.
Upload the certificate to IP Phone
Configure the SIP account