Public

Self-signed Certificate

MiVoice Office 400 Root and host certificates

The communication server creates a self-signed root certificate and a self-signed trusted host certificate. The host certificate is downloaded onto the IP and SIP terminals. A call connection between communication server and terminal is established only if the root and host certificate match.

The certificates are renewed at regular intervals, for security reasons. You can define the intervals here. When certificates are generated, the validity period is written into the certificates. The validity period is determined by the configured interval.

After the communication server has re-generated the certificate, the root certificate is stored on the communication server file system. Depending on terminal type, the host certificate is installed on the terminal or you must install it manually:

IP system phones: The host certificate is automatically exchanged without limiting the normal operation.
Mitel SIP phones: The host certificate is automatically loaded on the phone and the phone restarts automatically.
SIP standard terminals You must install the host certificate manually. For this, export the MiVoice Office 400 host certificate and load it on the SIP standard phones.

notes:

You must manually regenerate the certificate each time the communication server IP address is changed.
If you extend the time period, you then need to manually generate new certificates as the active certificates will become invalid sooner. If the certificates are invalid, you will no longer be able to set up any call connections.
Configuration and activation of the NTP service is mandatory for time management of the certificates. You can configure this in the System / General view.

Table 1. Self-signed certificates
Parameter	Description of the parameters
Generate new certificates automatically after (days)	Here you can enter the interval at which the certificates are to be regenerated. The interval duration also determines how long the certificates are valid.
Generate certificates at (time)	Here you can enter the time at which the certificates are to be generated. If SIP system phones are being used, it is preferable to select a time outside office hours as SIP system phones restart automatically.

Certificates

To create a CSR (Certificate Signing Request), perform the following:

On the certificate generation page, go to Configuration > IP networks > IP Security > Certificates > Public.
Click on Generate CSR.
Enter the required details as shown in the figure and click on Apply and Generate CSR.

Note: The CSR should be sent to the Certificate Authority (CA), and once the CA issues the certificate, the signed certificate needs to be imported to the server.

Table 2. Certificate Signing Request
Parameter	Description
Common name	Enter the domain name for which the certificate will be issued; this name will also be used for filenames.
Subject alternative names	A list of FQDN's that allow the public address to be resolved to different addresses.
Country (two-letter code)	Enter the required country code (two-letter code).
State or province	Enter the name of the state or province
Locality or city	Enter the name of the locality or city
Organisation	Enter the name of the organization
Organisational Unit	Enter the Organisational unit or department
E-mail address	Enter a valid e-mail address
Key size	Enter the size of the key (number of bits) From the dropdown, select 2048.

Note: In the Generate CSR page, there will be a drop-down option to select key size 1024/2048.

↑