Administration

UCX Administration
Security – Certificates
USEFUL TIP

For step-by-step instructions to install a commercially signed SSL Certificate, go to How to Generate and Install a Commercially Signed SSL Certificate page.

Generate CSR

The Generate Certificate Signing Request page allows you to generate a CSR for your UCX system.

To access the page, perform the following steps:

  1. Open UCX Administration
  2. From the Security tab, select Certificates
  3. From the left side column, select Generate CSR 
  4. Fill in the fields on this page and click on the Generate button

Install Certificate

The Install SSL Certificate page allows you to install a certificate chain certificate bundle issued for your UCX system.

To access the page, perform the following steps:

  1. Open UCX Administration
  2. From the Security tab, select Certificates
  3. From the left side column, select Install Certificate 
  4. Click on the Choose File button and select the desired certificate file from your computer.
  5. Click on the Install Certificate button

Self-Signed Certificate

IMPORTANT

The use of self-signed certificates as described here is intended for test or lab systems only. E-MetroTel does not recommended self-signed certificates to be deployed on customer systems.

If you have previously installed an E-MetroTel SSL certificate or your own commercially signed SSL certificate, the installation of a self-signed certificate will replace the that SSL and stop the operation of InfinityOne mobile clients.

When you connect to the UCX Administration page, you may see the following privacy error:

To prevent seeing this error, you can create and configure a trusted Self-Signed SSL Certificate for the UCX Server.

Step 1 – Generate SSL Certificate

To generate a self-signed SSL certificate perform the following steps:

  1. Open UCX Administration
  2. From the Security tab, select Certificates
  3. From the left side column, select Self-signed Certificate
  4. Press the Generate button to create the certificate

  5. Go to the System Dashboard tab and restart the Web Server process
  6. Close the browser or tab

Step 2 – Export Certificate

To export the certificate created in Step One to your PC, follow the steps below depending on your browser type.

Google Chrome

  1. From your browser, retype the hostname or IP address to access the UCX Administration page.
  2. Click on the “X lock” located on the left side of the address bar, then click on Certificate information
  3. Go to Copy to File section below and continue with the instructions

Internet Explorer

  1. From your browser, retype the hostname or IP address to access the UCX Administration page.
  2. Go to the top right corner of the browser and select Tools
  3. From the list, select Internet Options
  4. From the Internet Options window, select Security tab
  5. Select Trusted Sites and change the Security level to Medium
     
  6. Click on the Sites button and Add UCX website to the list of trusted sites
  7. Close the Trusted sites window and press OK to close the Internet Options window
  8. Select the link to Continue to this website
  9. Click on the “X shield” located on the right side of address bar, then click on View certificates
  10. Go to Copy to File section below and continue with the instructions.

Copy to File

From the Certificate page, go the the Details tab and click on Copy to File.
  
Follow the wizard to export the certificate to your PC
 

Step 3 – Import Certificate

To enable trust in your Internet browser, follow the steps in this section (based on your browser type) to import the certificate from your PC to the Trusted Root Certification Authorities store.

After completing these steps, relaunch the browser before accessing the UCX Web-based Configuration Utility.

Google Chrome

  1. Go to the top right corner of the browser and select the Chrome menu
  2. From the list, select Settings
  3. On the Settings page, scroll down to the bottom and click on Show advanced settings
  4. Scroll down to HTTPS/SSL section and click on Manage certificates button
  5. From the Certificates window, select Trusted Root Certification Authorities tab and click on the Import button
  6. Follow the instructions from the Wizard to import the certificate

Internet Explorer

  1. Go to the top right corner of the browser and select Tools
  2. From the list, select Internet Options
  3. From the Internet Options window, select Content tab
  4. Click on Certificates button
  5. From the Certificates window, select Trusted Root Certification Authorities tab and click on the Import button
  6. Follow the instructions from the Wizard to import the certificate

DTLS Certificate

NOTE

The original implementation of DTLS Certificate creation on the UCX was developed to meet the security standards in place at that time, which used a 1024 bit key and the certificate was generated using the SHA1 algorithm. We later updated the key length to 2048 bits in line with evolving standards. We have now provided the ability to generate the DTLS certificate using a SHA256 algorithm in line with current security standards.

Installing a DTLS certificate for the First Time

If you wish to use DTLS on the UCX, you will use this page to generate the DTLS Certificate. For example, InfinityOne softphones always use DTLS. However, DTLS can also be used to support encrypted media for SIP Trunks as long as the far-end device also supports DTLS-SRTP. To ensure that the certificate is generated with the most up-to-date security algorithms for the UCX, perform a Software Update prior to taking the following steps.

To generate a DTLS certificate, perform the following steps:

  1. Open UCX Administration
  2. From the System tab, select Updates and perform a Software Update
  3. From the System tab, select Network
  4. Verify that your UCx server is connected to the Internet and DNS Server(s) is configured.
  5. From the Security tab, select Certificates
  6. From the left side column, select DTLS Certificate
    UCX70DTLSCertGenerate.png
  7. Press the Generate button to create the certificate
    UCX70DTLSCertGenerateSuccess.png
  8. The DTLS certificate is created and automatically installed on your UCX server.

Upgrading from SHA1 based certificate to a SHA256 based certificate

As noted above, in UCX 6.0 E-MetroTel supports the creation of a certificate based on the SHA256 algorithm in order to keep pace with evolving security standards. However, once a certificate has been generated on a system it will remain in its current state unless you manually update the certificate after installing the latest UCX software. To determine whether your DTLS certificate is based on SHA1 versus SHA256, perform the following steps:

  1. Open UCX Administration
  2. From the System tab, select Updates and perform a Software Update
  3. From the System tab, select Network
  4. Verify that your UCX server is connected to the Internet and DNS Server(s) is configured.
  5. From the Security tab, select Certificates
  6. From the left side column, select DTLS Certificate. If the DTLS Certificate page has a Generate button and states that a DTLS certificate is installed, then the certificate is based on older security standards and can be updated.
    DTLS60ExistingCertificate.png
  7. Press the Generate button to update the DTLS certificate.
    DTLS60LatestCertificate.png

Domain Validation

Use this page if your SSL certificate issuer requires you to upload a domain validation text file into the .well-known/pki-validation directory in order to perform a basic validation of the ownership of your domain.

NOTE

Please make sure that access to the HTTP port (80) is allowed during the time the SSL provider is to perform the validation.

Contents