SIP TLS (Transport Layer Security) is used to encrypt SIP signaling between SIP endpoints. In order for this to function properly it is required that certain devices in the network import an SSL certificate. Before importing the certificate into a device such as an Acme Packet SBC it is important to know if the certificate is from a CA (Certificate Authority) or perhaps self-generated in which case it would be considered a non-CA certificate. Occasionally users have indicated the certificate is from a CA when in fact it is not. This may generate an error if importing a non-CA certificate as a CA certificate. Below is a quick procedure to verify the certificate using Mac OS X (or Linux).
$ openssl verify -verbose CertFile.crt
server.crt: OK
If the output is anything other than server.crt: OK then the provided certificate is not from a valid Certificate Authority. For example:
$ openssl verify -verbose CertFile.crt
CallManagerAug22.crt: /CN=TESTCCM/OU=CISCOMCS7800/O=FPI/L=MANILA/ST=MAKATI/C=PH
error 18 at 0 depth lookup:self signed certificate
OK
Another alternative to verify a certificate is using Mac OS X’s Keychain Access application. Simply import the certificate and you will see something like this:
If using a CA based certificate here are the steps to generate a certificate request and load the certificate on the Acme Packet SBC
PHOENIX# configure terminal
PHOENIX(configure)# security
PHOENIX(security)# certificate-record
PHOENIX# generate-certificate-request markholloway
Generating Certificate Signing Request. This can take several
minutes…
—–BEGIN CERTIFICATE REQUEST—–
MIIDHzCCAoigAwIBAgIIAhMCUACEAHEwDQYJKoZIhvcNAQEFBQAwcDELMAkGA1UE
BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4w
DAYDVQQKEwVzaXBpdDEpMCcGA1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0ZSBB
dXRob3JpdHkwHhcNMDUwNDEzMjEzNzQzWhcNMDgwNDEyMjEzNzQzWjBUMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCTUExEzARBgNVBAcTCkJ1cmxpbmd0b24xFDASBgNV
BAoTC0VuZ2luZWVyaW5nMQ0wCwYDVQQDEwRhY21lMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQCXjIeOyFKAUB3rKkKK/+59LT+rlGuW7Lgc1V6+hfTSr0co+ZsQ
bHFUWAA15qXUUBTLJG13QN5VfG96f7gGAbWayfOS9Uymold3JPCUDoGgb2E7m8iu
vtq7gwjSeKNXAw/y7yWy/c04FmUD2U0pZX0CNIR3Mns5OAxQmq0bNYDhawIDAQAB
o4HdMIHaMBEGA1UdEQQKMAiCBnBrdW1hcjAJBgNVHRMEAjAAMB0GA1UdDgQWBBTG
tpodxa6Kmmn04L3Kg62t8BZJHTCBmgYDVR0jBIGSMIGPgBRrRhcU6pR2JYBUbhNU
2qHjVBShtqF0pHIwcDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx
ETAPBgNVBAcTCFNhbiBKb3NlMQ4wDAYDVQQKEwVzaXBpdDEpMCcGA1UECxMgU2lw
aXQgVGVzdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHmCAQAwDQYJKoZIhvcNAQEFBQAD
gYEAbEs8nUCi+cA2hC/lM49Sitvh8QmpL81KONApsoC4Em24L+DZwz3uInoWjbjJ
QhefcUfteNYkbuMH7LAK0hnDPvW+St4rQGVK6LJhZj7/yeLXmYWIPUY3Ux4OGVrd
2UgV/B2SOqH9Nf+FQ+mNZOlL7EuF4IxSz9/69LuYlXqKsG4=
—–END CERTIFICATE REQUEST—–;
PHOENIX# save-config
PHOENIX# activate-config
Once the certificate is received by the CA it needs to be imported on the Acme Packet SBC
PHOENIX# import-certificate [try-all|pkcs7|x509] [cert-file-name]
PHOENIX# import-certificate try-all markholloway
Please enter the certificate in the PEM format.
Terminate the certificate with “;” to exit…….
—–BEGIN CERTIFICATE—–
MIIDHzCCAoigAwIBAgIIAhMCUACEAHEwDQYJKoZIhvcNAQEFBQAwcDELMAkGA1UE
BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4w
DAYDVQQKEwVzaXBpdDEpMCcGA1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0ZSBB
dXRob3JpdHkwHhcNMDUwNDEzMjEzNzQzWhcNMDgwNDEyMjEzNzQzWjBUMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCTUExEzARBgNVBAcTCkJ1cmxpbmd0b24xFDASBgNV
BAoTC0VuZ2luZWVyaW5nMQ0wCwYDVQQDEwRhY21lMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQCXjIeOyFKAUB3rKkKK/+59LT+rlGuW7Lgc1V6+hfTSr0co+ZsQ
bHFUWAA15qXUUBTLJG13QN5VfG96f7gGAbWayfOS9Uymold3JPCUDoGgb2E7m8iu
vtq7gwjSeKNXAw/y7yWy/c04FmUD2U0pZX0CNIR3Mns5OAxQmq0bNYDhawIDAQAB
o4HdMIHaMBEGA1UdEQQKMAiCBnBrdW1hcjAJBgNVHRMEAjAAMB0GA1UdDgQWBBTG
tpodxa6Kmmn04L3Kg62t8BZJHTCBmgYDVR0jBIGSMIGPgBRrRhcU6pR2JYBUbhNU
2qHjVBShtqF0pHIwcDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx
ETAPBgNVBAcTCFNhbiBKb3NlMQ4wDAYDVQQKEwVzaXBpdDEpMCcGA1UECxMgU2lw
aXQgVGVzdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHmCAQAwDQYJKoZIhvcNAQEFBQAD
gYEAbEs8nUCi+cA2hC/lM49Sitvh8QmpL81KONApsoC4Em24L+DZwz3uInoWjbjJ
QhefcUfteNYkbuMH7LAK0hnDPvW+St4rQGVK6LJhZj7/yeLXmYWIPUY3Ux4OGVrd
2UgV/B2SOqH9Nf+FQ+mNZOlL7EuF4IxSz9/69LuYlXqKsG4=
—–END CERTIFICATE—–;
PHOENIX# save-config
PHOENIX# activate-config
From here there are quite a number of steps to perform in order to support SIP TLS and sRTP. The following example shows how to create a TLS profile for encrypted SIP signaling.
PHOENIX# config t
PHOENIX(configure)# security
PHOENIX(security)# tls-profile
Enter a name for the profile, name of the trust CA certificate record, and the tls-version (TLSv1 or SSLv3)
PHOENIX(tls-profile)# exit
PHOENIX(security)# exit
Now apply the TLS profile to the sip-interface that will be used.
PHOENIX(configure)# session-router
PHOENIX(session-router)# sip-interface
PHOENIX(sip-interface)# select
<SIP INTERFACE>
PHOENIX(session-interface)# sip-ports
PHOENIX(sip-port)# <ENTER>
PHOENIX(sip-interface)# transport-protocol tls
PHOENIX(sip-interface)# tls-profile <profile>
To view information about certificates loaded in the Acme Packet SBC:
PHOENIX# show security certificates [ brief | detailed ] <CERT>
certificate-record:markholloway
Certificate:
Data:
Version: 3 (0×2)
Serial Number:
04:55:32:55:50:84:45:71
Issuer:
C=US
ST=Arizona
L=Phoenix
O=sipit
OU=STCA
Subject:
C=US
ST=AZ
L=Phoenix
O=Engineering
CN=mh
Hi,
May i ask for help about tls between cucm 7.1 and acme sbc. when i test a call using udp, all was going fine but when i used the tls, cucm is sending a cancel request after it receives the session progress message. my topology is ip phone->cucm->acmesbc->sipserver. i upload a trust certificate to cucm from acme SBC, then download a CSR certificate and give it to person from acme SBC so that he can give me a signed certificate that i can upload to cucm. that is what we did for certificate exchange. maybe if you can have some idea on why the cucm is sending a cancel request.
Thanks,
Adriane