The following are levels of received certificate checks can be used for various IP Office TLS/HTTPS connections. See IP Office Interface Certificate Support for more information.
Settings |
Description |
None |
|
Low |
The same None plus:
|
Medium |
The same as Low plus:
Check there is a trust chain from the Trusted Certificate Store (TCS) to the root Certificate Authority (CA). For IP Office R11.1.3 and higher, also:
Check that the certificate has a key usage defined. If the certificate has extended key usage settings, check that they match the purpose for which the certificate is being used. Check that the certificate does not include any unknown extensions marked as critical. Note: For systems upgraded to R11.1.3, these additional checks are only used after the existing setting is changed. For example, changed from Medium to High and then back to Medium. Backup the configuration before making any change. |
High |
The same as Medium plus:
Check the certificate's public key is 2048 bits or greater Check the certificate is not a self-signed certificate. Not reflected. Check there is a copy of the certificate in the IP Office system's Trusted Certificate Store. This settings enables implementation of a strict trust domain where only known certificates are accepted. This is a form of 'certificate pinning' and overcomes the limitation of the standard tree structure PKI where any certificates issued by the root CA are always trusted. |
Medium + Remote Checks |
Use the same checks as Medium plus:
Perform hostname validation to verify that one of the SAN entries matches the connection's FQDN. If necessary, the SAN entry used can be an IP address. For SIP, verify that the certificate source is authoritative for the SIP domain as in accordance with RFC5922. |
High + Remote Checks |
Use the same checks as High plus the same additional checks as Medium + Remote Checks. |
The certificate check levels are applied using the following IP Office settings:
Function |
Description |
Administrator Access Checks |
This setting is used for HTTPS/TLS administration connections to the system by applications such as IP Office Manager when the Service Security Level of the service being used is set to High.
|
SIP Lines SM Lines |
This security setting sets the certificate check level the IP Office uses for certificates it receives SIP and SM line TLS telephony connections:
-
An identity certificate is not installed in all SIP phones. Therefore, for SIP, the IP Office does not require a client certificate from SIP phones, only from SIP and SM trunks.
|
IP Office Lines |
This configuration setting sets the certificate check level used by an IP Office line:
(Line or ) | = High
This setting is available for IP Office lines with their Transport Type set to WebSocket Client or WebSocket Server. It applies regardless of the Received Certificate Checks (Management Interfaces) checks setting. The Medium + Remote Checks and High + Remote Checks options are not available for this setting. Applies to port 443. |
