The Mediatrix unit uses digital certificates, which are a collection of data used to
verify the identity of individuals, computers, and other entities on a network.
- the certificate's name
- the issuer and issued to names
- the validity period (the certificate is not valid before or after this period)
- the use of certificates such as:
- TlsClient: The certificate identifies a TLS client. A host authenticated by this
kind of certificate can act as a client in a SIP over TLS connection when mutual
authentication is required by the server.
- TlsServer: The certificate identifies a TLS server. A host authenticated by this
kind of certificate can serve files or web pages using the HTTPS protocol or can act
as a server in a SIP over TLS connection.
- whether or not the certificate is owned by a Certification Authority (CA)
Although certificates are factory-installed new ones can also be added. Since certificates
have a validity period (start date and expiry date), the use of NTP (Network Time Protocol) is
mandatory when using the security features.
The Mediatrix unit uses two types of certificates:
- Host Certificates: used to certify the unit (e.g.: a web server with HTTPS requires a
- Others: Any other certificate including trusted CA certificates used to certify peers
(e.g.: a SIP server with TLS).
To enable a TLS connection on Mediatrix units, no CA certificate needs to be installed if the
respective parameters for each secure service (e.g. SIP, Conf, Cwmp, etc) has the NoValidation
value. If the value is different than NoValidation, then at least one CA certificate needs to
be installed. This certificate must be uploaded to the Mediatrix units. The Mediatrix unit
then checks the server identity by validating the host name used to contact it against the
information found in the server's certificate. If the validation fails, the Mediatrix unit
refuses the secure connection. For the SIP over TLS service, we have four (4) levels of
validation: HostName, trustedCertificate, DNSSRV, and NoValidation (for a complete description
of the validation levels, refer to the Help of the DGW Web interface under SIP/Interop). The
way that the remote peer is evaluated for secure connection differs for each level. Remember
that the unit must be correctly configured with an SNTP server because the TLS server
certificate is also validated in terms of time (certificate validation/expiration date, etc.).
For example in a setup for two Mediatrix gateways with no SIP proxy in the middle. At least
one of the units will require a Host certificate. If only one unit has a Host certificate, the
calls will be allowed in only one direction (Unit 1 calls Unit 2). For bi-directional calls,
both Mediatrix units would require a Host certificate. By default it is not possible to upload
a Host certificate without first clicking on Activate unsecure certificate transfer. This is
because the certificate upload will be done in clear text, which means the private key will be
susceptible to interception.
Certificates are used to secure the following connections:
- Configuration Web pages
- File transfers (scripts, firmwares, etc.) with HTTPS
- Configuration using TR-069
- Wired Ethernet Authentication with EAP (802.1x)