The Mediatrix unit uses digital certificates, which are a collection of data used to verify the identity of individuals, computers, and other entities on a network.
- the certificate's name
- the issuer and issued to names
- the validity period (the certificate is not valid before or after this period)
- the use of certificates such as:
- TlsClient: The certificate identifies a TLS client. A host authenticated by this kind of certificate can act as a client in a SIP over TLS connection when mutual authentication is required by the server.
- TlsServer: The certificate identifies a TLS server. A host authenticated by this kind of certificate can serve files or web pages using the HTTPS protocol or can act as a server in a SIP over TLS connection.
- whether or not the certificate is owned by a Certification Authority (CA)
Although certificates are factory-installed new ones can also be added. Since TLS certificates are validated in terms of time (certificate validation/expiration date, etc.), the use of NTP (Network Time Protocol) is mandatory when using the security features.
- Host Certificates: used to certify the unit (e.g.: a web server with HTTPS requires a host certificate).
- Others: Any other certificate including trusted CA certificates used to certify peers (e.g.: a SIP server with TLS).
- SipEp.InteropTlsCertificateValidation (also available in the DGW Web page under SIP/Interop)
The certificates must be uploaded to the Mediatrix units. They define how a Mediatrix unit will certify the remote host in order to mark it as secure and suitable for a TLS connection. If the Mediatrix unit does not trust the remote certificate (i.e. does not authenticate it with either one of the 3 methods: HostName, trustedCertificate, DnsSrv), then the Mediatrix unit will not establish the connection.
- for testing purpose,
- if one cannot identify the required CA cert, or
- the CA cert has mismatched Common Name/Subject Alternate Name. (In this case there is no fallback, it will fail if the name does not match)
- Configuration Web pages
- File transfers (scripts, firmwares, etc.) with HTTPS
- Configuration using TR-069
- Wired Ethernet Authentication with EAP (802.1x)
One common use of the host certificate is to allow HTTPS Web access to the unit (which in this case, the device is the TLS server). For more details refer to the Technical Bulletins - Creating a Media5 Host Certificate with Open SSL document on the Media5 Documentation Portal.
Importing a Trusted CA or SIP Server Certificate through the Web Page
- Go to Management/Certificates.
- ClickActivate unsecure certificate transfer.
- In the Certificate Import Through Web Browser table, from the Type selection list, select Other.
Click Browse and
select your certificate.
Note: The name of the certificate cannot have more than 50 characters.
- Click Import.
- Click Apply.
- Click restart required services located at the top of the page.
Importing a Host Certificate through the Web Page
- Go to Management/Certificates.
- Click Activate unsecure certificate transfer.
- From the Type selection list, select Host.
- Click Browse and select the Host certificate.
- Click Apply
In the Host Certificate Associations
table, select the services that Host Certificate should be associated
Note: A Host certificate is by default associated with all services. Several Host Certificates can be imported and associated with one or several services.
- Click Import.
- Click Apply.
Importing any Certificate through a Configuration Script
To use the Cert.InstallCertificate command, the provided content must be a valid certificate file encoded in Base64.
Under Linux system:
base64 --wrap=0 myCertificate.crt >
With OpenSSL tool:
openssl base64 -A -in myCertificate.crt -out
Prepare the configuration script file with the wanted
Cert.InstallCertificate command line to execute.
IMPORTANT: The FileContent argument requires the Base64 encoding of the whole certificate file, including the portions that may be already in Base64.IMPORTANT: Double quotes must be used around the Base64 value of the FileContent argument.
Cert.InstallCertificate Name="MyCertificate.crt" Type="Host" FileContent="LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQ pNSUlFb3dJQkFBS0NBUUVBdXhLRE82Nm9LT2lnY0hRMXIxbG5YTGlRVD lSMG9Ra0UvcHBPRG85dlhaVnNjOEQ2CnV5RmxkUm9E...RESUtRNUt2V HYKK2lMZ1FMczltakhBVXJ1TlY5K0pKeDFzcHY4RlpwMD0KLS0tLS1FT kQgQ0VSVElGSUNBVEUtLS0tLQ=="Note: For more details about the Cert.InstallCertificate command, refer to the DGW Configuration Guide - Reference Guide published on the Media5 Documentation Portal.Note: For more details on size limitation with configuration script file, refer to the DGW Configuration Guide - Limitations of DGW Platforms document published on the Media5 Documentation Portal
- Go to Management/Configuration Scripts/Execute.
- If you are not using HTTPS, click Activate unsecure file importation from the Web browser.
- In the Upload Script Through Web Browser table, browse to the location of the file you wish to import.
- Click Upload and Execute.
Supported Certificate Types and Key Strength
DGW supports the following certificate types and key strength for TLS connections:
- RSA certificates up to 4096-bit keys
- ECDSA certificates with the secp256r1, secp384r1, and secp521r1 curves
- ECDSA is supported starting from DGW 47.0
And the following hashing algorithm:
- Up to SHA-512
Trusted CA Certificate Content Example
-----BEGIN CERTIFICATE----- MIICNTCCAZ6gAwIBAgIJANYsw8F6ocdbMA0GCSqGSIb3DQEBBQUAMEQxEzARBgoJ kiaJk/IsZAEZFgNjb20xGTAXBgoJkiaJk/IsZAEZFgltZWRpYXRyaXgxEjAQBgNV BAMTCU1lZGlhNWRldjAeFw0wODA4MzExNzQwMTBaFw0xODA4MzExNzQwMTBaMEQx EzARBgoJkiaJk/IsZAEZFgNjb20xGTAXBgoJkiaJk/IsZAEZFgltZWRpYXRyaXgx EjAQBgNVBAMTCU1lZGlhNWRldjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA 3TJm6UbpfidGJ/kURz3/kwr8lOLY+Fe28O/Iq9Klq5m5G0NEbl8aF3+EbSPTV8GU YlnzXdHHrAVDP5f3gPJU2+obWxbmQSlqvjx6QdxAhNcGTdPv7UGatQapCmQe1/Ct 2qtlqXrxG/bTPv+Vt/WKPmFEA+hjkVJ1hQgQLAUpD2MCAwEAAaMvMC0wDAYDVR0T BAUwAwEB/zAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcN AQEFBQADgYEALhFUmWUROV7UTf/Zy3hmZDWyjd8YcuAkb+TrdvK7yHJHTqC0DdvB L10REHz6Ch7WCiydR8JLj0fAK+kXGYj9VdWj+qvlTnV4PBEvNzA3bbHBqVoOupJM aDT7atCeNRJ8ipcy7MHN00FRbEW0XKhwnDxQnX2tz0myAeAnDHe5bsQ= -----END CERTIFICATE-----
If you are not familiar with the meaning of the fields and buttons, click Show Help, located at the upper right corner of the Web page. When activated, the fields and buttons that offer online help will change to green and if you hover over them, the description will bedisplayed.
Mediatrix devices are supplied with an exhaustive set of documentation.
Mediatrix user documentation is available on the Media5 Documentation Portal.
- Release notes: Generated at each GA release, this document includes the known and solved issues of the software. It also outlines the changes and the new features the release includes.
- Configuration notes: These documents are created to facilitate the configuration of a specific use case. They address a configuration aspect we consider that most users will need to perform. However, in some cases, a configuration note is created after receiving a question from a customer. They provide standard step-by-step procedures detailing the values of the parameters to use. They provide a means of validation and present some conceptual information. The configuration notes are specifically created to guide the user through an aspect of the configuration.
- Technical bulletins: These documents are created to facilitate the configuration of a specific technical action, such as performing a firmware upgrade.
- Hardware installation guide: They provide the detailed procedure on how to safely and adequately install the unit. It provides information on card installation, cable connections, and how to access for the first time the Management interface.
- User guide: The user guide explains how to customise to your needs the configuration of the unit. Although this document is task oriented, it provides conceptual information to help the user understand the purpose and impact of each task. The User Guide will provide information such as where and how TR-069 can be configured in the Management Interface, how to set firewalls, or how to use the CLI to configure parameters that are not available in the Management Interface.
- Reference guide: This exhaustive document has been created for advanced users. It includes a description of all the parameters used by all the services of the Mediatrix units. You will find, for example, scripts to configure a specific parameter, notification messages sent by a service, or an action description used to create Rulesets. This document includes reference information such as a dictionary, and it does not include any step-by-step procedures.
Copyright © 2022 Media5 Corporation.
This document contains information that is proprietary to Media5 Corporation.
Media5 Corporation reserves all rights to this document as well as to the Intellectual Property of the document and the technology and know-how that it includes and represents.
This publication cannot be reproduced, neither in whole nor in part, in any form whatsoever, without written prior approval by Media5 Corporation.
Media5 Corporation reserves the right to revise this publication and make changes at any time and without the obligation to notify any person and/or entity of such revisions and/or changes.