Views

802.1x Certificates

The Wiki of Unify contains information on clients and devices, communications systems and unified communications. - Unify GmbH & Co. KG is a Trademark Licensee of Siemens AG.

Jump to: navigation, search

ToDo: Page to be translated to English - any contribution is welcome!

This page summarizes the requirements for certificates and their properties, as they apply to the 802.1x (EAP-TLS) authentication of OpenStage and optiPoint IP phones.

1. Basic requirements to 802.1x certificates

  • The intended purpose must be "client authentication".
  • The purpose to use must be "signature and encryption".
  • The type is X.509-certificate, version: 3.
  • The algorithm class for the private dey is: 0xa000(5) ALG_CLASS_KEY_EXCHANGE
  • Normally is used sha1RSA, however, it can be fallen back on various other algorithms, provided that these algorithms are supported by OpenSSL and e.g. Win2003.
  • From DLS view there are any X.509 V3 certificates possible. The only restriction is the size (max. approx. 7kB).

Phone-certificate

  • X509v3 Extended Key Usage: Client Authentication
  • RSA Public Key: (1024 bit) with optiPoint, (2048 bit) with OpenStage, (4096 bit) with CP phones

RADIUS-certificate

  • RSA Public Key: (2048 bit)
  • X509v3 extensions:
  • X509v3 Key usage: critical, digital signature, key Encipherment, key agreement, certificate Sign
  • X509v3 Extended key usage: server authentication, client authentication

SubCA-certificate

  • RSA Public Key: (2048/4096 bit)
  • X509v3 extensions:
  • X509v3 Basic Constraints: critical, CA:TRUE
  • X509v3 Key Usage: critical, Digital Signature, Certificate Sign, CRL Sign

RootCA-certificate

  • RSA public key: (2048/4096 bit)
  • X509v3 extensions:
    • X509v3 basic constraints: critical, CA:TRUE
    • X509v3 Key usage: critical, digital signature, certificate sign, CRL Sign


2. Rules for logon names

  • The certificate element "CommonName" must meet the requirements of Microsoft's "Rules of Logon Names" (e.g. http://technet.microsoft.com/en-us/library/bb726984.aspx) respectively UPN (User Principal Names)(MS Windows Server 2003, Internet Authentication Service (IAS) Operation Guide)
  • Logon names must follow these rules
    • Local logon names must be unique on a workstation and global logon names must be unique throughout a domain.
    • Logon names can be up to 104 characters. However, it isn't practical to use logon names that are longer than 64 characters.
    • A Microsoft Windows NT version 4.0 or earlier logon name is given to all accounts, which by default is set to the first 20 characters of the Windows 2000 logon name. The Windows NT version 4.0 or earlier logon name must be unique throughout a domain.
    • Users logging on to the domain from Windows 2000 computers can use their Windows 2000 logon name or their Windows NT version 4.0 or earlier logon name, regardless of the domain operations mode.#
    • Logon names can't contain certain characters. Invalid characters are " / \ [ ] : ; | = , + * ? < >
    • Logon names can contain all other special characters, including spaces, periods, dashes, and underscores. But it's generally not a good idea to use spaces in account names.
  • Certificates on Wired Client Computers: For the user and computer certificates installed on wired client computers, the following must be true
    • They must have a corresponding private key.
    • They must contain the Client Authentication EKU (OID "1.3.6.1.5.5.7.3.2")
    • Computer certificates must be installed in the Local Computer certificate store.
    • Computer certificates must contain the FQDN of the wired client computer account in the Subject Alternative Name property.
    • User certificates must be installed in the Current User certificate store.
    • User certificates must contain the user principal name (UPN) of the user account in the Subject Alternative Name property.


3. Difference between optiPoint und OpenStage

  • optiPoint SIP/HFA:
    • Phone-certificate(certificate chain + priv. key in PKCS#12 container)
    • RootCA-certificate (= public key = first element of the RADIUS-certificate chain) or
    • RADIUS-certificate (= public key des RADIUS-certificates)
    • Key size: 1024 Bit
  • OpenStage SIP/HFA:
    • Phone-certificate (certificate chain + priv. key in PKCS#12 container)
    • RootCA-certificate (= public key = first element of the RADIUS-certificate chain)
    • Key size: max. 2048 Bit, should be limited for reasons of the compatibility to optiPoint to 1024 bits.