802.1x Certificates
The Wiki of Unify contains information on clients and devices, communications systems and unified communications. - Unify GmbH & Co. KG is a Trademark Licensee of Siemens AG.
ToDo: Page to be translated to English - any contribution is welcome!
This page summarizes the requirements for certificates and their properties, as they apply to the 802.1x (EAP-TLS) authentication of OpenStage and optiPoint IP phones.
Contents
1. Basic requirements to 802.1x certificates
- The intended purpose must be "client authentication".
- The purpose to use must be "signature and encryption".
- The type is X.509-certificate, version: 3.
- The algorithm class for the private dey is: 0xa000(5) ALG_CLASS_KEY_EXCHANGE
- Normally is used sha1RSA, however, it can be fallen back on various other algorithms, provided that these algorithms are supported by OpenSSL and e.g. Win2003.
- From DLS view there are any X.509 V3 certificates possible. The only restriction is the size (max. approx. 7kB).
Phone-certificate
- X509v3 Extended Key Usage: Client Authentication
- RSA Public Key: (1024 bit) with optiPoint, (2048 bit) with OpenStage
RADIUS-certificate
- RSA Public Key: (2048 bit)
- X509v3 extensions:
- X509v3 Key usage: critical, digital signature, key Encipherment, key agreement, certificate Sign
- X509v3 Extended key usage: server authentication, client authentication
SubCA-certificate
- RSA Public Key: (2048/4096 bit)
- X509v3 extensions:
- X509v3 Basic Constraints: critical, CA:TRUE
- X509v3 Key Usage: critical, Digital Signature, Certificate Sign, CRL Sign
RootCA-certificate
- RSA public key: (2048/4096 bit)
- X509v3 extensions:
- X509v3 basic constraints: critical, CA:TRUE
- X509v3 Key usage: critical, digital signature, certificate sign, CRL Sign
2. Rules for logon names
- The certificate element "CommonName" must meet the requirements of Microsoft's "Rules of Logon Names" (e.g. http://technet.microsoft.com/en-us/library/bb726984.aspx) respectively UPN (User Principal Names)(MS Windows Server 2003, Internet Authentication Service (IAS) Operation Guide)
- Logon names must follow these rules
- Phone-certificate(certificate chain + priv. key in PKCS#12 container)
- RootCA-certificate (= public key = first element of the RADIUS-certificate chain) or
- RADIUS-certificate (= public key des RADIUS-certificates)
- Key size: 1024 Bit
- OpenStage SIP/HFA:
- Phone-certificate (certificate chain + priv. key in PKCS#12 container)
- RootCA-certificate (= public key = first element of the RADIUS-certificate chain)
- Key size: max. 2048 Bit, should be limited for reasons of the compatibility to optiPoint to 1024 bits
- Certificates on Wired Client Computers: For the user and computer certificates installed on wired client computers, the following must be true
- They must have a corresponding private key.
- They must contain the Client Authentication EKU (OID "1.3.6.1.5.5.7.3.2")
- Computer certificates must be installed in the Local Computer certificate store.
- Computer certificates must contain the FQDN of the wired client computer account in the Subject Alternative Name property.
- User certificates must be installed in the Current User certificate store.
- User certificates must contain the user principal name (UPN) of the user account in the Subject Alternative Name property.
3. Difference between optiPoint und OpenStage
- optiPoint SIP/HFA:
- Phone-certificate(certificate chain + priv. key in PKCS#12 container)
- RootCA-certificate (= public key = first element of the RADIUS-certificate chain) or
- RADIUS-certificate (= public key des RADIUS-certificates)
- Key size: 1024 Bit
- OpenStage SIP/HFA:
- Phone-certificate (certificate chain + priv. key in PKCS#12 container)
- RootCA-certificate (= public key = first element of the RADIUS-certificate chain)
- Key size: max. 2048 Bit, should be limited for reasons of the compatibility to optiPoint to 1024 bits.
