Adding 3rd Party Certificates to an IP Office or Server Edition

Need to add a certificate to your IP Office, to add additional layers of security? Customer not happy with having to make browser exceptions?  This guide will talk you through the process of creating everything you need and how to install it all in your IP Office.

We will work in this order;

1.Gather all information required to create a Certificate

2.Create Certificate Signup Request (CSR)

3.Send CSR to External(CA)

4.Download the certificate

5.Import the Signed Identity Certificate

6.Convert provided certificate to P12

7.Apply new certificate to Primary Server

Just before we begin, This is a rewrite of an Avaya document made for PCC one year. There are instructions for this same process in the Security Guidelines document. This has been made as an easy to follow guide, for people that are not to familiar with certificates. We have tried to add extra details where we can. Other methods are possible also, using tools like OpenSSL. In some cases OpenSSL may be the better option.

1.Gather all information required to create a Certificate

Make sure you are fully aware of the details you will be using the certificate against. This is the servers FQDN (Fully Qualified Domain Name) Depending on your certificate, you may be signing against multiple domains ie – letssupportnow.co.uk, letssupporttomorrow.co.uk. You could have a wildcard certificate and be signing on any sub-domain of your domain. Something like R11.letssupportnow.co.uk these use a common name of *. (*.letssupportnow.co.uk) If you are also using the certificate for your SIP devices enabling TLS and SRTP. You need to use a UCC/SAN certificate.

2.Create Certificate Signup Request (CSR)

We will use Microsoft Management Console for this and our other steps. As i said before, you could use OpenSSL. We will try to make a separate guide for doing this using OpenSSL at some point.

On a windows machine go to Start > Run. in run type MMC and hit enter.

Click File> Add/Remove Snapin and select Certificates. Then ok

Select Computer Account then Local Computer. Click finish.

Click ok on the page displayed.

Expand the Certificates (local computer) tree

Right click on Personal > All tasks > Advanced Operations > create custom request

Click next on the first window and then “proceed without policy enrolment”.

  

Chose (no template) Legacy Key and PKCS#10 then next.

Expand details and select the properties option.

In the General tab, enter the FQDN of the server. if your CSR is for a wildcard cert. Just use *.domain.co.uk (*.letssupportnow.co.uk)

On the subject tab, in the subject name field. add the relevant information. For UCC certs needing to sign the sip domain. You need to add an Alternative Name. The type is URL, The Value is the URI, e.g SIP:letssupportnow.co.uk

In the Extensions tab, select Key usage and add the option shown in the image. (Data Encipherment, Digital Signature, Key Encipherment and non repudiation)

Still in Extensions, under Extended Key usage, add Server and Client Authentication. Do not make the extended key usage critical.

In the Private Key tab, under Cryptographic Service Provider, Check Strong Microsoft Encryption.

In the Key type drop down, make it Exchange

Under Key options, chose 2048.

Ensure you check the make Key exportable option.

If presented, select HASH ALOGORITHM and Value to SHA256. Review all the options are correct then click ok.

Click next then chose your file location and chose Base64 as the type.

 

Open the exported CSR with notepad and copy all the contents.

3.Send CSR to External(CA)

Login to your CA and find the CSR enrolment pages, paste the text from your CSR into the box they provide. Be aware all CA’s do things differently, these instructions are based on GoDaddy as the CA.

4.Download the certificate

Once the CA has validated the domain etc, you will be able to download the certificate files from the CA. 

Save the file to a relevant place. You should see a couple of files, The Identity certificate and the Root CA/ trust chain certificate.

5.Import the Signed Identity Certificate

Open MMC again and add the certificates snapin for the local computer like we did before.

Right click on Personal and go to All tasks and Import.

Click Next on the first screen, then search for the certificate file you downloaded from your CA. Click next.

Use the ‘place all certificates in the following store’ option. Chose personal as the store. Click next then Finish

Check your certificates imported correctly, You should see it with the FQDN as its name. It should also have a key icon next to it.

Repeat the import process to import the Root CA’s certificate files as well.

In the folder of your certificate, right click on it and chose open then details.

Verify the trust chain is correct and in place.

6.Convert provided certificate to P12

Still in MMC, (must be the same PC you created the CSR on) Find your certificate in Personal and right click > all tasks > export.

Click next on the first screen, then select ‘Yes, export private key’

chose the Personal Information Exchange radio button, Also check the, top a bottom sub options as per the below image.

Set a Very strong password to protect your private key. Be aware if someone has your private key, the certificate is no longer secure.

Chose a relevant name for your file. You can change from pfx to .p12 but this isnt specifically needed and will still be allowed to be imported by the IP Office, even though it asks for p12.

7.Apply new certificate to Primary Server

Login to WebManager and goto the Security Manager tab, chose Certificates. Just on a side note! this is the same for an Application server if you need certs on that.

Press the set option, Chose your .pfx/.p12 file, put in the password and click upload.

If all went well, You certificates page should now show as issued to: your FQDN. At this point, after a minute or so. The page will refresh/log you out. This is fine give it ten then check again. By this point all the apps should have the new cert applied. If for some reason the certs haven’t pushed out. First go to :7071 then under the certificates section, make sure the renew automatically option is checked. This option allows the cert to be pushed out to the other apps, it will not renew anything if your using an imported cert as the IPO is no longer the CA.

And your done!! Go enable TLS and SRTP on all your SIP devices and browse to any IP Office web page without that exception requirement.

 

Leave a Reply

Your email address will not be published. Required fields are marked *