How to setup TLS configuration

About This Manual

This manual introduces how to apply TSL certificates to Akuvox IP Phone, and provides a sample of generating and uploading certificates to server and IP Phone step by step. The manual is applicable to Akuvox R5X,R6X with the firmware version 5.0 or later.

Introduction

Since there is no specific security protocols for SIP, similar to HTTPS and FTPS, we usually encrypt the protocol with TLS to ensure the transmission security of SIP messages. The main working process of TLS includes establish network-connection, select the encryption and compression method relate to the connection, recognize bilateral identities, confirm the password of this transmission, encrypted data transmission and close the connection. (For more details, please refers to https://en.wikipedia.org/wiki/Public_key_certificate#TLS_version_1.1) In the encryption protocols of network communication, a digital certificate is required for providing the public key and private key to transmit the encrypted informations or decrypt received informations. During the handshaking process of TLS, the client has to negotiate the keys, encryption algorithm and so on with the server, the server has to send its certificate to client for identification. The Akuvox IP Phone (consult us for firmware version) supports TLS v1.0 transmission and X.509 certificate standard, users can enable or disable the connection with the server which used un-trusted certificates.

Configuration

There are five steps to configure TLS:

1.Make the certificate of CA and client;

2.Install CA on the server;

3.Configure the TLS (or HTTPS) settings of server, e.g., Transmission mode, Port number, TLS method, authentication method and so on;

4.Upload CA certificate to IP Phone client;

5.Fill in the SIP accounts and enable TLS of IP Phone.

(Step 1~3 please refers to the appendix)

Upload CA Certificate to IP Phone

1.Login the webpage of IP Phone, go to the path “Security → Advanced.

2.Click “Browse” under “Client Certificate Upload.”

3.Select the local certificate(Usually *.pem, *.crt, *.cer, *.der).

4.Click “Submit” to upload the certificate. The IP Phone supports 10 certificates.

IP Phone supports “Only Accept Trusted Certificates,” IP Phone would be forced to accept all certificates when disabled; if enabled, the IP Phone would only accept trusted certificates in the list.

Enable TLS of IP Phone

1.Login the IP Phone on webpage, go to the path “Account → Basic.” 2.Select “TLS” in “Transport Type” and submit.

Appendix:SIP-TLS Configuration Sample

MyPBX is used in the sample, different PBX may have different process.

Make Certificate

Use the tool “openssl” based on LINUX to make private CA certificate.

1.Create the key file of root certificate(self certificate) : root.key

Command: openssl genrsa -out root.key 1024

Sample:

root@ubuntu-64bit:/home/work/CA# openssl genrsa -out root.key 1024
Generating RSA private key, 1024 bit long modulus
...........................................................................................+++
..........................................+++
e is 65537 (0x10001)


2.Create the application file of root certificate : root.csr

Command: openssl req -new -key root.key -out root.csr

Sample:

root@ubuntu-64bit:/home/work/CA# openssl req -new -key root.key -out root.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:FJ
Locality Name (eg, city) []:XM
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Akuvox
Organizational Unit Name (eg, section) []:Akuvox
Common Name (eg, server FQDN or YOUR name) []:Akuvox_CA
Email Address []:support@akuvox.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
root@ubuntu-64bit:/home/work/CA#

3.Create a 10-year valid root certificate from current data : root.crt

Command: openssl x509 -req -days 3650 -sha1 -extensions v3_ca -signkey root.key -in root.csr -out root.crt

Sample:

root@ubuntu-64bit:/home/work/CA# openssl x509 -req -days 3650 -sha1 -extensions v3_ca -signkey root.key -in root.csr -out root.crt
Signature ok
subject=/C=CN/ST=FJ/L=XM/O=Akuvox/OU=Akuvox/CN=Akuvox/emailAddress=support@akuvox.com
Getting Private key

4.Create the server certificate: server.key

Command: Openssl genrsa -out server.key 1024

Sample:

root@ubuntu-64bit:/home/work/CA# openssl genrsa -out server.key 1024
Generating RSA private key, 1024 bit long modulus
......++++++
.++++++
e is 65537 (0x10001)
root@ubuntu-64bit:/home/work/CA#

5.Create the application file of server certificate: server.csr(Generate Certificate Signing Request(CSR)which would convert to server’s own certificate once signed by CA, input private informations following the tips)

Command:openssl req -new -key server.key -out server.csr

Sample:

root@ubuntu-64bit:/home/work/CA# openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:FJ
Locality Name (eg, city) []:XM
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Akuvox
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:192.168.10.16
Email Address []:support@Akuvox.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:12345678
An optional company name []:
root@ubuntu-64bit:/home/work/CA#
There must have difference between the Common Name of Server’s and CA’s certificate.

6.Create a 2-year valid server certificate from current data : server.crt.

Command:openssl x509 -req -days 730 -sha1 -extensions v3_req -CA root.crt -CAkey root.key -CAserial root.srl -CAcreateserial -in server.csr -out server.crt

Sample:

root@ubuntu-64bit:/home/work/CA# openssl x509 -req -days 730 -sha1 -extensions v3_req -CA root.crt -CAkey root.key -CAserial root.srl -CAcreateserial -in server.csr -out server.crt
Signature ok
subject=/C=CN/ST=FJ/L=XM/O=Akuvox/OU=Akuvox/CN=Akuvox/emailAddress=support@Akuvox.com
Getting CA Private Key
root@ubuntu-64bit:/home/work/CA#
root.crt should be uploaded to IP Phone(client), server.crt and server.key should be uploaded to server, use “cat” when .pem is required:cat server.key server.crt > server.pem

Upload the certificate to MyPBX

1.Go to “PBX → Advanced Settings→Certificates,” click “Upload Certificate.”

2.Select the “Type” as “PBX Certificate,” click “Browse” to choose “server.pem” for uploading and save.

3.Restart the PBX to enable the certificates.

Configure the SIP settings of server

1.Go to “Advanced Settings → SIP Settings,” enable TLS and set the TLS port, choose the authentication and transmission method and save.

2.Go to “Line Status → Extensions Statues,” click the account

3.Select “TLS” for “Transport” in the VoIP settings and save. Click “Apply Changes” on the top right corner to take effect the configuration.

Upload the certificate to IP Phone

Configure the SIP account