Views

Difference between revisions of "802.1x Certificates"

The Wiki of Unify contains information on clients and devices, communications systems and unified communications. - Unify GmbH & Co. KG is a Trademark Licensee of Siemens AG.

Jump to: navigation, search
(Initial Creation - German content)
 
(Phone-certificate)
 
(11 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{constr|[[User:Stefan.Beck|Stefan Beck]]}}
+
<div class="breadcrumb">
 +
{{de}} [[802.1x_Zertifikate]]
 +
</div>
  
''ToDo: Page to be translated to English. For the German version see [[802.1x_Zertifikate]].''  
+
''ToDo: Page to be translated to English - any contribution is welcome!''  
  
Hier sind die Anforderungen für Zertifikate zusammengefasst, die für die 802.1x-Authentifizierung von optiPoint- und OpenStage-Telefonen zum Einsatz kommen.
+
This page summarizes the requirements for certificates and their properties, as they apply to the 802.1x (EAP-TLS) authentication of OpenStage and optiPoint IP phones.
  
== 1. Grundsätzliche Eckdaten zu 802.1x Zertifikaten ==
+
== 1. Basic requirements to 802.1x certificates ==
  
* Der Verwendungszweck muss "Client Authentication" sein.
+
* The intended purpose must be "client authentication".
* Der Einsatzzweck ist "Signatur und Verschlüsselung".
+
* The purpose to use must be "signature and encryption".
* Typ ist X.509-Zertifikat, Version: 3.
+
* The type is X.509-certificate, version: 3.
* Die Algorithmusklasse für den privaten Schlüssel ist: 0xa000(5) ALG_CLASS_KEY_EXCHANGE
+
* The algorithm class for the private dey is: 0xa000(5) ALG_CLASS_KEY_EXCHANGE
* Standardmäßig wird sha1RSA verwendet, es kann aber auf diverse andere Algorithmen zurückgegriffen werden, sofern diese Algorithmen von OpenSSL und z.B. Win2003 unterstützt werden.
+
* Normally is used sha1RSA, however, it can be fallen back on various other algorithms, provided that these algorithms are supported by OpenSSL and e.g. Win2003.
* Aus DLS-Sicht sind beliebige X.509 V3 Zertifikate möglich. Einzige Einschränkung ist die Größe (max ca. 7kB).
+
* From DLS view there are any X.509 V3 certificates possible. The only restriction is the size (max. approx. 7kB).
  
=== Phone-Zertifikat ===
+
=== Phone-certificate ===
* X509v3 Extended Key Usage:   TLS Web Client Authentication
+
* X509v3 Extended Key Usage: Client Authentication
* RSA Public Key: (1024 bit) bei Optipoint, (2048 bit) bei OpenStage
+
* RSA Public Key: (1024 bit) with optiPoint, (2048 bit) with OpenStage, (4096 bit) with CP phones
  
=== RADIUS-Zertifikat ===
+
=== RADIUS-certificate ===
 
* RSA Public Key: (2048 bit)
 
* RSA Public Key: (2048 bit)
 
* X509v3 extensions:
 
* X509v3 extensions:
* X509v3 Key Usage: critical, Digital Signature, Key Encipherment, Key Agreement, Certificate Sign
+
* X509v3 Key usage: critical, digital signature, key Encipherment, key agreement, certificate Sign
* X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication
+
* X509v3 Extended key usage: server authentication, client authentication
  
=== SubCA-Zertifikat ===
+
=== SubCA-certificate ===
 
* RSA Public Key: (2048/4096 bit)
 
* RSA Public Key: (2048/4096 bit)
 
* X509v3 extensions:
 
* X509v3 extensions:
Line 30: Line 32:
 
* X509v3 Key Usage: critical, Digital Signature, Certificate Sign, CRL Sign
 
* X509v3 Key Usage: critical, Digital Signature, Certificate Sign, CRL Sign
  
== RootCA-Zertifikat ==
+
== RootCA-certificate ==
* RSA Public Key: (2048/4096 bit)
+
* RSA public key: (2048/4096 bit)
 
* X509v3 extensions:
 
* X509v3 extensions:
** X509v3 Basic Constraints: critical, CA:TRUE
+
** X509v3 basic constraints: critical, CA:TRUE
** X509v3 Key Usage: critical, Digital Signature, Certificate Sign, CRL Sign
+
** X509v3 Key usage: critical, digital signature, certificate sign, CRL Sign
 +
 
 +
 
 +
== 2. Rules for logon names==
 +
* The certificate element "CommonName" must meet the requirements of Microsoft's "Rules of Logon Names" (e.g. http://technet.microsoft.com/en-us/library/bb726984.aspx) respectively UPN (User Principal Names)(MS Windows Server 2003, Internet Authentication Service (IAS) Operation Guide)
 +
* Logon names must follow these rules
 +
** Local logon names must be unique on a workstation and global logon names must be unique throughout a domain.
 +
** Logon names can be up to 104 characters. However, it isn't practical to use logon names that are longer than 64 characters.
 +
** A Microsoft Windows NT version 4.0 or earlier logon name is given to all accounts, which by default is set to the first 20 characters of the Windows 2000 logon name. The Windows NT version 4.0 or earlier logon name must be unique throughout a domain.
 +
** Users logging on to the domain from Windows 2000 computers can use their Windows 2000 logon name or their Windows NT version 4.0 or earlier logon name, regardless of the domain operations mode.#
 +
** Logon names can't contain certain characters. Invalid characters are " / \ [ ] : ; | = , + * ? < >
 +
** Logon names can contain all other special characters, including spaces, periods, dashes, and underscores. But it's generally not a good idea to use spaces in account names.
 +
* Certificates on Wired Client Computers: For the user and computer certificates installed on wired client computers, the following must be true
 +
** They must have a corresponding private key.
 +
** They must contain the Client Authentication EKU (OID "1.3.6.1.5.5.7.3.2")
 +
** Computer certificates must be installed in the Local Computer certificate store.
 +
** Computer certificates must contain the FQDN of the wired client computer account in the Subject Alternative Name property.
 +
** User certificates must be installed in the Current User certificate store.
 +
** User certificates must contain the user principal name (UPN) of the user account in the Subject Alternative Name property.
 +
 
  
== 2. Unterschiede zwischen optiPoint und OpenStage ==
+
== 3. Difference between optiPoint und OpenStage ==
* OptiPoint SIP/HFA:  
+
* optiPoint SIP/HFA:  
** Phone-Zertifikat (Zertifikatskette + priv. Key in PKCS#12 Container)
+
** Phone-certificate(certificate chain + priv. key in PKCS#12 container)
** RootCA-Zertifikat (= public Key = erstes Glied der RADIUS-Zertifikatskette) oder
+
** RootCA-certificate (= public key = first element of the RADIUS-certificate chain) or
** RADIUS-Zertifikat (= public Key des RADIUS-Zertifikates)
+
** RADIUS-certificate (= public key des RADIUS-certificates)
** Key Size: 1024 Bit
+
** Key size: 1024 Bit
* OpenStage SIP/HFA (für OpenStage HFA wird 802.1x ab V2R0 freigeben):  
+
* OpenStage SIP/HFA:  
** Phone-Zertifikat (Zertifikatskette + priv. Key in PKCS#12 Container)
+
** Phone-certificate (certificate chain + priv. key in PKCS#12 container)
** RootCA-Zertifikat (= public Key = erstes Glied der RADIUS-Zertifikatskette)
+
** RootCA-certificate (= public key = first element of the RADIUS-certificate chain)
** Key Size: max. 2048 Bit, sollte aber aus Gründen der Kompatibilität zum optiPoint auf 1024 Bit beschränkt werden.
+
** Key size: max. 2048 Bit, should be limited for reasons of the compatibility to optiPoint to 1024 bits.

Latest revision as of 12:25, 7 February 2020

ToDo: Page to be translated to English - any contribution is welcome!

This page summarizes the requirements for certificates and their properties, as they apply to the 802.1x (EAP-TLS) authentication of OpenStage and optiPoint IP phones.

1. Basic requirements to 802.1x certificates

  • The intended purpose must be "client authentication".
  • The purpose to use must be "signature and encryption".
  • The type is X.509-certificate, version: 3.
  • The algorithm class for the private dey is: 0xa000(5) ALG_CLASS_KEY_EXCHANGE
  • Normally is used sha1RSA, however, it can be fallen back on various other algorithms, provided that these algorithms are supported by OpenSSL and e.g. Win2003.
  • From DLS view there are any X.509 V3 certificates possible. The only restriction is the size (max. approx. 7kB).

Phone-certificate

  • X509v3 Extended Key Usage: Client Authentication
  • RSA Public Key: (1024 bit) with optiPoint, (2048 bit) with OpenStage, (4096 bit) with CP phones

RADIUS-certificate

  • RSA Public Key: (2048 bit)
  • X509v3 extensions:
  • X509v3 Key usage: critical, digital signature, key Encipherment, key agreement, certificate Sign
  • X509v3 Extended key usage: server authentication, client authentication

SubCA-certificate

  • RSA Public Key: (2048/4096 bit)
  • X509v3 extensions:
  • X509v3 Basic Constraints: critical, CA:TRUE
  • X509v3 Key Usage: critical, Digital Signature, Certificate Sign, CRL Sign

RootCA-certificate

  • RSA public key: (2048/4096 bit)
  • X509v3 extensions:
    • X509v3 basic constraints: critical, CA:TRUE
    • X509v3 Key usage: critical, digital signature, certificate sign, CRL Sign


2. Rules for logon names

  • The certificate element "CommonName" must meet the requirements of Microsoft's "Rules of Logon Names" (e.g. http://technet.microsoft.com/en-us/library/bb726984.aspx) respectively UPN (User Principal Names)(MS Windows Server 2003, Internet Authentication Service (IAS) Operation Guide)
  • Logon names must follow these rules
    • Local logon names must be unique on a workstation and global logon names must be unique throughout a domain.
    • Logon names can be up to 104 characters. However, it isn't practical to use logon names that are longer than 64 characters.
    • A Microsoft Windows NT version 4.0 or earlier logon name is given to all accounts, which by default is set to the first 20 characters of the Windows 2000 logon name. The Windows NT version 4.0 or earlier logon name must be unique throughout a domain.
    • Users logging on to the domain from Windows 2000 computers can use their Windows 2000 logon name or their Windows NT version 4.0 or earlier logon name, regardless of the domain operations mode.#
    • Logon names can't contain certain characters. Invalid characters are " / \ [ ] : ; | = , + * ? < >
    • Logon names can contain all other special characters, including spaces, periods, dashes, and underscores. But it's generally not a good idea to use spaces in account names.
  • Certificates on Wired Client Computers: For the user and computer certificates installed on wired client computers, the following must be true
    • They must have a corresponding private key.
    • They must contain the Client Authentication EKU (OID "1.3.6.1.5.5.7.3.2")
    • Computer certificates must be installed in the Local Computer certificate store.
    • Computer certificates must contain the FQDN of the wired client computer account in the Subject Alternative Name property.
    • User certificates must be installed in the Current User certificate store.
    • User certificates must contain the user principal name (UPN) of the user account in the Subject Alternative Name property.


3. Difference between optiPoint und OpenStage

  • optiPoint SIP/HFA:
    • Phone-certificate(certificate chain + priv. key in PKCS#12 container)
    • RootCA-certificate (= public key = first element of the RADIUS-certificate chain) or
    • RADIUS-certificate (= public key des RADIUS-certificates)
    • Key size: 1024 Bit
  • OpenStage SIP/HFA:
    • Phone-certificate (certificate chain + priv. key in PKCS#12 container)
    • RootCA-certificate (= public key = first element of the RADIUS-certificate chain)
    • Key size: max. 2048 Bit, should be limited for reasons of the compatibility to optiPoint to 1024 bits.