IP Office Security Guidelines
Procedure
- It is essential to understand the information and recommendations of Certificates and Trust to determine the certificate and trust requirements of the system prior to installation.
- If required, administer a new platform identity certificate:
- The new identity certificate should be in a 'p12' or 'pfx' file.
- Ideally, all certificates used to sign the new identity certificate should be in the same file.
- If the signing certificates are in separate files, use IP Office Manager security to upload each one.
- Activate the IP Office Manager security setting .
- Use IP Office Manager security setting to upload the identity certificate file.
- The identity certificate will be automatically propagated to all TLS/HTTPS interfaces of the server, any signing certificates will be placed in the Trusted Certificate Store (TCS).
- If a separate telephony identity certificate is required, it should be administered using IP Office Manager security settings.
- The default certificates trusted by IP Office should be removed if not required. This is achieved by placing a copy of the certificate in the system/primary/certificates/tcs/delete directory using the IP Office Manager or IP Office Web Manager's File Manager.
- Any default certificates to be trusted by IP Office should be added to the system/primary/certificates/tcs/add directory. See Default Trusted Certificates for more information and how to create the certificate files.
- If there is a change to the server's LAN IP address, SIP domain or FQDN, the Identity certificate will require regeneration. An IP500 V2, Secondary or Linux Expansion Server will always require manual regeneration. A Primary or Linux Application Server will be automatic if the IP Office Web Manager menu setting is active (default).
- After ensuring that all other IP Office components' identity certificates are correctly configured, set the received certificate check levels using the settings:
