This guide will show you an easy way to generate and sign your own certificates when using TLS in your SIP profiles. Enabling secure end points doing upper registration thru Sangoma SBC.
Transport Layer Security (TLS) must be used to secure the signalling in between the SBC and the remote end.
Here are the requirements for TLS configuration:
a. A suitable digital certificate must be deployed on the SBC
b. SBC must have the SIP Trunking configured to provide basic security policies, routing rules and other features.
c. SBC must be able to identify the PBX service by the service's fully qualified domain name (FQDN).
A digital certificate needs to be obtained, and signed by a supported Certification Authority (CA), which contains the FQDN of the SBC in the certificate's name (CN) field.
Basically the certificate, and also intermediate certificates must be loaded into SBC.
The next diagram represents the various steps in the process
1. The SBC must have FQDN configured
2. Use the SBC's name ( and other information) to generate a certificate request
3. Submit the certificate request to the CA. The CA will charge a fee to generate a certificate
4. The CA will issue a signed certificate that contains the SBC's FQDN.
5. Load the device certificate into the SBC's Private Certificate Store.
6. Load the intermediate certificates into the SBC's CA Certificate Store.
7. Download a Root Certificate, from the CA used to sign the remote end(PBX)
8. Load the Root Certifi
We will use 2 tools to be able to generate the appropriate certificates.
- The SBC provides you the capability to generate a private key and a certificate request. We will use this thru a single command line in the CLI.
- Most likely in real secure environments you will need to submit your certificate request generated in the previous point to a trusted certification authority. However we will use a tool to simulate the Certification Authority and provide you with a self-signed certificate. In this case we will use Simple Authority (www.simpleauthority.com)
To generate the Private Key and Certificate Request connect to your SBC via SSH. Log in and root users
At the command line prompt:
/usr/local/nsc/bin/gentls_cert create_server_req -cn <FQDN for your SBC> -alt DNS:<alternate Name> -org <Organization Domain>
See this example:
At this point two files has been generated in the folders indicated in the sample. Those 2 files are:
The first one you should keep it is a safe place and don’t share with anyone.
The second file is the file that you usually will submit to the Certification Authority.
Now, we will explain how to create your own certification authority and then be able to respond and certify the request generated previously.
Download and Install Free Version of SimpleAuthority (http://simpleauthority.com/download.html) :
We will use Windows Version here:
At this point you should have already ported the file myreq.req to your computer from where you will import the request using Simple Authority:
Complete as required the next screen (Keep the certificate type as General Purpose):
A new certificate will appear on the left side on Simple Authority Screen.
Select: >Tools > Export > CA certificate like here:
Select “pem” format:
For this exercise we are saving this certificate with the name ”CA Certificate Demo.pem”
Now, we will create a new file named “Server Certificate.pem” by Merging the recently created certificate and the private key we generated using SBC CLI.
“CA Certificate Demo.pem” + “myreq.key”
It will look like this (fuzzy on purpose):
Will result on this:
At this point you are ready to load certificates in your SBC
Load “CA Certificate Demo.pem” in the CA Section and “Server Certificate.pem” in the Server Section.
Don’t forget to assign the Server Certificate in the SIP Profile associated to TLS:
Now you are ready to accept upper registrations from endpoints using TLS and the SBC will convert to standard SIP to your IPPBX.