Views

Difference between revisions of "802.1x Certificates"

The Wiki of Unify contains information on clients and devices, communications systems and unified communications. - Unify GmbH & Co. KG is a Trademark Licensee of Siemens AG.

Jump to: navigation, search
m (Added link to german version)
(1. Grundsätzliche Eckdaten zu 802.1x Zertifikaten)
Line 7: Line 7:
 
This page summarizes the requirements for certificates and their properties, as they apply to the 802.1x (EAP-TLS) authentication of OpenStage and optiPoint IP phones.
 
This page summarizes the requirements for certificates and their properties, as they apply to the 802.1x (EAP-TLS) authentication of OpenStage and optiPoint IP phones.
  
== 1. Grundsätzliche Eckdaten zu 802.1x Zertifikaten ==
+
== 1. Basic requirements to 802.1x certificates ==
  
* Der Verwendungszweck muss "Client Authentication" sein.
+
* The intended purpose must be "client authentication".
* Der Einsatzzweck ist "Signatur und Verschlüsselung".
+
* The purpose to use must be "signature and encryption".
* Typ ist X.509-Zertifikat, Version: 3.
+
* The type is X.509-certificate, version: 3.
* Die Algorithmusklasse für den privaten Schlüssel ist: 0xa000(5) ALG_CLASS_KEY_EXCHANGE
+
* The algorithm class for the private dey is: 0xa000(5) ALG_CLASS_KEY_EXCHANGE
* Standardmäßig wird sha1RSA verwendet, es kann aber auf diverse andere Algorithmen zurückgegriffen werden, sofern diese Algorithmen von OpenSSL und z.B. Win2003 unterstützt werden.
+
* Normally is used sha1RSA, however, it can be fallen back on various other algorithms, provided that these algorithms are supported by OpenSSL and e.g. Win2003.
* Aus DLS-Sicht sind beliebige X.509 V3 Zertifikate möglich. Einzige Einschränkung ist die Größe (max ca. 7kB).
+
* From DLS view there are any X.509 V3 certificates possible. The only restriction is the size (max. approx. 7kB).
  
=== Phone-Zertifikat ===
+
=== Phone-certificate ===
 
* X509v3 Extended Key Usage: Client Authentication
 
* X509v3 Extended Key Usage: Client Authentication
* RSA Public Key: (1024 bit) bei Optipoint, (2048 bit) bei OpenStage
+
* RSA Public Key: (1024 bit) with optiPoint, (2048 bit) with OpenStage
  
=== RADIUS-Zertifikat ===
+
=== RADIUS-certificate ===
 
* RSA Public Key: (2048 bit)
 
* RSA Public Key: (2048 bit)
 
* X509v3 extensions:
 
* X509v3 extensions:
* X509v3 Key Usage: critical, Digital Signature, Key Encipherment, Key Agreement, Certificate Sign
+
* X509v3 Key usage: critical, digital signature, key Encipherment, key agreement, certificate Sign
* X509v3 Extended Key Usage: Server Authentication, Client Authentication
+
* X509v3 Extended key usage: server authentication, client authentication
  
=== SubCA-Zertifikat ===
+
=== SubCA-certificate ===
 
* RSA Public Key: (2048/4096 bit)
 
* RSA Public Key: (2048/4096 bit)
 
* X509v3 extensions:
 
* X509v3 extensions:

Revision as of 06:05, 29 March 2010

ToDo: Page to be translated to English - any contribution is welcome!

This page summarizes the requirements for certificates and their properties, as they apply to the 802.1x (EAP-TLS) authentication of OpenStage and optiPoint IP phones.

1. Basic requirements to 802.1x certificates

  • The intended purpose must be "client authentication".
  • The purpose to use must be "signature and encryption".
  • The type is X.509-certificate, version: 3.
  • The algorithm class for the private dey is: 0xa000(5) ALG_CLASS_KEY_EXCHANGE
  • Normally is used sha1RSA, however, it can be fallen back on various other algorithms, provided that these algorithms are supported by OpenSSL and e.g. Win2003.
  • From DLS view there are any X.509 V3 certificates possible. The only restriction is the size (max. approx. 7kB).

Phone-certificate

  • X509v3 Extended Key Usage: Client Authentication
  • RSA Public Key: (1024 bit) with optiPoint, (2048 bit) with OpenStage

RADIUS-certificate

  • RSA Public Key: (2048 bit)
  • X509v3 extensions:
  • X509v3 Key usage: critical, digital signature, key Encipherment, key agreement, certificate Sign
  • X509v3 Extended key usage: server authentication, client authentication

SubCA-certificate

  • RSA Public Key: (2048/4096 bit)
  • X509v3 extensions:
  • X509v3 Basic Constraints: critical, CA:TRUE
  • X509v3 Key Usage: critical, Digital Signature, Certificate Sign, CRL Sign

RootCA-Zertifikat

  • RSA Public Key: (2048/4096 bit)
  • X509v3 extensions:
    • X509v3 Basic Constraints: critical, CA:TRUE
    • X509v3 Key Usage: critical, Digital Signature, Certificate Sign, CRL Sign

2. Unterschiede zwischen optiPoint und OpenStage

  • OptiPoint SIP/HFA:
    • Phone-Zertifikat (Zertifikatskette + priv. Key in PKCS#12 Container)
    • RootCA-Zertifikat (= public Key = erstes Glied der RADIUS-Zertifikatskette) oder
    • RADIUS-Zertifikat (= public Key des RADIUS-Zertifikates)
    • Key Size: 1024 Bit
  • OpenStage SIP/HFA (für OpenStage HFA wird 802.1x ab V2R0 freigeben):
    • Phone-Zertifikat (Zertifikatskette + priv. Key in PKCS#12 Container)
    • RootCA-Zertifikat (= public Key = erstes Glied der RADIUS-Zertifikatskette)
    • Key Size: max. 2048 Bit, sollte aber aus Gründen der Kompatibilität zum optiPoint auf 1024 Bit beschränkt werden.