Security Module SIP identity certificate attributes

Last Updated : Apr 25, 2023 |

Generate the Security Module SIP identity certificate with the following X509v3 extensions and attributes.

Attribute

Value

Required

Subject

CN={breeze-fqdn}

Required

Validity

validity period

Required

Authority Key Identifier

hash

Required1

Subject Key Identifier

hash

Recommended

Key Usage

digitalSignature

Required

nonrepudiation

Required

keyEncipherment

Required

Extended Key Usage

id-kp-serverAuth = 1.3.6.1.5.5.7.3.3.1

Required

id-kp-clientAuth = 1.3.6.1.5.5.7.3.3.2

Required2

id-kp-sipDomain = 1.3.6.1.5.5.7.3.20

Contraindicated3

Subject Alternative Name

IP:{breeze-security-module-ip}

Optional

URI:sip:{sip-domain}

Optional4

DNS:{sip-domain}

Optional5

DNS:{breeze-fqdn}

Required

Authority Information Access

OCSP - URI:http://{ocsp-server}{:ocsp-port}{/ocsp-path}

Optional

CRL Distribution Points

URI:http://{crl-server}{:crl-port}{/crl-path}

Optional

URI:ldap://{crl-server}{:crl-port}{/crl-dn} 6

Optional
1 Authority key identifiers are required elements in end entity certificates to properly establish the trust chain.
2 Required as this Identity Certificate is used when the server is acting as a client (TLS mutual authentication)
3 Validation of the presence of the id-kp-sipDomain extended key usage as described in RFC 5924 is discouraged, as it limits use of the certificate to SIP only and forces certificate proliferation.
4 The SIP domain may not be known at install time, so the URI:sip:{domain} Subject Alternative Name value suggested by RFC 5922 is not likely to be present. Once the SIP domain is known, replace this Identity Certificate with the correct domain. Some public CA’s do not allow signing a CSR with a Subject Alternative Name extension entry of type URI and sip scheme (e.g. URI=sip:sip.example.com). In those cases use only the DNS type entry with the corresponded SIP Domain. Follow either Replacing an Identify Certificate by an System Manager CA issued certificate or Replacing an Identify Certificate by a third party CA issued certificate
5 The 96xx endpoints require the SIP domain to be present in the CN or as a DNS:{domain} entry in the Subject Alternative Name field.
6 URLs and DNs used to identify the location of CRLs in LDAP directories may be quite complex; entities configuring or consuming these must be able to handle characters as defined by the LDAP URI specification in RFC 4516.
Related information
Certificate management