SIP Identity Certificate attributes

Last Updated : Aug 20, 2020 |

Generate the Session Manager SIP Identity Certificate with the following X509v3 extensions and attributes.

Attribute

Value

Required?

Authority Information Access

OCSP - URI:http://{ocsp-server}{:ocsp-port}{/ocsp-path}

Optional

Authority Key Identifier

hash

Required1

CRL Distribution Points

URI:http://{crl-server}{:crl-port}{/crl-path}

URI:ldap://{crl-server}{:crl-port}{/crl-dn}2

Recommended

Recommended

Extended Key Usage

id-kp-serverAuth = 1.3.6.1.5.5.7.3.2.1

id-kp-clientAuth = 1.3.6.1.5.5.7.3.2.2

id-kp-sipDomain = 1.3.6.1.5.5.7.3.20

Required

Optional3

Contraindicated 4

Key Usage

digitalSignature

nonRepudiation

keyEncipherment

dataEncipherment

All values are Optional. 5

Subject

CN={fqdn}

Required

Subject Alternative Name

IP:{ip}

URI:sip:{domain}

DNS:{domain}

DNS:{fqdn}

Optional

Required 6

Required 7

Required

Subject Key Identifier

hash

Recommended

Validity

validity period

Required
1 Authority key identifiers are required elements in end entity certificates to properly establish the trust chain.
2 URLS and DNs that identify the location of CRLs in LDAP directories can be complex. Entities must be able to handle characters as defined by the LDAP URI specification in RFC 4516.
3 Required if the same Identity Certificate is used when the server is acting as a client.
4 Validation of the presence of the id-kp-sipDomain extended key usage as described in RFC 5924 is discouraged, as it limits use of the certificate to SIP only and forces certificate proliferation.
5 Values may vary as specified in RFC 5280 and RFC 3279.
6 The SIP domain may not be known at install time, so the URI:sip:{domain} Subject Alternative Name value suggested by RFC 5922 is not likely to be present.
7 See Footnote 6. Also, the 96xx endpoints require the SIP domain to be present in the CN or as a DNS:{domain} entry in the Subject Alternative Name field.