Certificates and Key Management

X.509 v3 is the standard used for the certificates.

There are two types of certificates according to X.509 v3; Certificate Authority (CA) and signed certificate. The CA has the X.509v3 extension->X.509v3 Basic Constraints set to CA:TRUE while the same parameter for the signed certificate is CA:FALSE.

The root CA can sign another CA and thereby create a chain of trust. TLS clients trusting the CA will thereby trust the servers signed by the Intermediate certificate. The certificate management tool can not create chain of trust between CAs, but it supports importing intermediate CA and root CA.The MX-ONE Enterprise CA is only a root CA.

Both client and server certificate are signed certificates. In 802.1x we the phone will have client certificates as they are validated as clients of the radius server who validate which clients that shall have network access. The MX-ONE Service Node is validated as a server, in relation to other servers or phones.

The certificate management tool allows to either create a generic wild card certificate distributed to all MX-ONE servers (auto) and/or a local certificate for a certain server which can use a certain root CA, which may be required for a certain TLS SIP route.

MX-ONE stores certificates in the native format for openssl, PEM, which is an encode 64 format. The format is easily verified when looking at the file using an ASCII editor as the certificate bob is wrapped with ------BEGIN CERTIFICATE---- and -----END CERTIFICATE-----.

The PEM file used by MX-ONE (by the TLS supporting programs) is a “PEM with Certificate chain” stored at /etc/opt/eri_sn/certs/eri_sn_cert.pem. This file includes in the following order, the server certificate private key, the server certificate and the CA (Certificate Authority). Note, the CA private key is not needed.