<!DOCTYPE html
SYSTEM "about:legacy-compat">
<html lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta charset="UTF-8"><meta name="copyright" content="(C) Copyright 2022"><meta name="DC.rights.owner" content="(C) Copyright 2022"><meta name="DC.type" content="concept"><meta name="description" content="The Mediatrix unit uses digital certificates, which are a collection of data used to verify the identity of individuals, computers, and other entities on a network."><meta name="prodname" content=""><meta name="version" content="DGW 4849.50.27182809"><meta name="platform" content="All Mediatrix Units Except the Mediatrix 4102S"><meta name="DC.date.modified" content="2022-0511-0410"><meta name="DC.date.issued" content="2022-0511-0410"><meta name="DC.date.available" content="2022-0511-0410"><meta name="ChapterNumbering" content="no"><meta name="DC.format" content="HTML5"><meta name="DC.identifier" content="concept_bxv_zxl_ls"><link href="https://fonts.googleapis.com/css?family=Open+Sans" rel="stylesheet"><link rel="stylesheet" type="text/css" href="https://documentation.media5corp.com/download/attachments/45482024/commonltr.css"><link rel="stylesheet" type="text/css" href="https://documentation.media5corp.com/download/attachments/45482024/custom.css"><title>Using Trusted CA and Host Certificates</title></head><body><header role="banner"><div class="topicmeta title">Using Trusted CA and Host Certificates</div><div class="topicmeta date">2022-0511-04<10</div><div class="topicmeta product"></div><div class="topicmeta version">DGW 4849.50.2718<2809</div><div class="topicmeta pdf"><a href="https://documentation.media5corp.com/download/attachments/45482024/Using%20Trusted%20CA%20and%20Host%20Certificates.pdf" rel="nofollow">Download PDF Document</a></div><hr><span style="float: inline-end;"></span></header><nav role="toc"><ul><li><a href="#concept_bxv_zxl_ls">Certificates</a><ul><li><a href="#task_fqx_v1m_ls">Importing a Trusted CA or SIP Server Certificate through the Web Page</a></li><li><a href="#unique_10185599911066372796">Importing a Host Certificate through the Web Page</a></li><li><a href="#unique_3632040091483350662">Importing any Certificate through a Configuration Script</a></li></ul></li><li><a href="#concept_z45_rl3_bet">Supported Certificate Types and Key Strength</a></li><li><a href="#reference_bh2_vbj_ybb">Trusted CA Certificate Content Example </a></li><li><a href="#reference_j4g_nbv_gfb">Online Help</a></li><li><a href="#concept_v4k_q3h_1r">DGW Documentation</a></li><li><a href="#concept_fqm_rv4_k4">Copyright Notice</a></li></ul></nav><main role="main"><article role="article" aria-labelledby="ariaid-title1"><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="nested0" aria-labelledby="ariaid-title1" id="concept_bxv_zxl_ls">
<h1 class="title topictitle1" id="ariaid-title1">Certificates</h1>
<div class="body conbody"><p class="shortdesc">The Mediatrix unit uses digital certificates, which are a collection of data used to
verify the identity of individuals, computers, and other entities on a network. </p>
<div class="p">Certificates contain:<ul class="ul" id="concept_bxv_zxl_ls__ul_wjn_v33_ns">
<li class="li">the certificate's name</li>
<li class="li">the issuer and issued to names </li>
<li class="li">the validity period (the certificate is not valid before or after this period) </li>
<li class="li">the use of certificates such as:<ul class="ul" id="concept_bxv_zxl_ls__ul_jyv_x33_ns">
<li class="li">TlsClient: The certificate identifies a TLS client. A host authenticated by this
kind of certificate can act as a client in a SIP over TLS connection when mutual
authentication is required by the server.</li>
<li class="li">TlsServer: The certificate identifies a TLS server. A host authenticated by this
kind of certificate can serve files or web pages using the HTTPS protocol or can act
as a server in a SIP over TLS connection.</li>
</ul></li>
<li class="li">whether or not the certificate is owned by a Certification Authority (CA)</li>
</ul></div>
<p class="p">Although certificates are factory-installed new ones can also be added. Since TLS
certificates are validated in terms of time (certificate validation/expiration date, etc.),
the use of NTP (Network Time Protocol) is mandatory when using the security features. </p>
<div class="p">The Mediatrix unit uses two types of certificates: <ul class="ul" id="concept_bxv_zxl_ls__ul_bkm_gj3_ns">
<li class="li">Host Certificates: used to certify the unit (e.g.: a web server with HTTPS requires a
host certificate).</li>
<li class="li">Others: Any other certificate including trusted CA certificates used to certify peers
(e.g.: a SIP server with TLS).</li>
</ul></div>
<div class="p">The Conf, Cwmp, Eth, Fpu, Nlm, Sbc, and SipEp services are considered secure as they require
certificate validation to establish a secure connection to a remote host. The following
parameters, available by the CLI, are used to determine whether or not the connection to the
remote host should be validated with the service certificate. By default, the parameters are
always set to a value requiring validation.<ul class="ul" id="concept_bxv_zxl_ls__ul_qs1_bnf_r3b">
<li class="li">Conf.ScriptsTransferCertificateValidation</li>
<li class="li">Cwmp.TransportCertificateValidation</li>
<li class="li">Eth.Eap.CertificateValidation</li>
<li class="li">Fpu.MfpTransferCertificateValidation</li>
<li class="li">Nlm.PCaptureTransferCertificateValidation</li>
<li class="li">Sbc.CertificateValidation</li>
<li class="li">SipEp.InteropTlsCertificateValidation (also available in the DGW Web page under
SIP/Interop)</li>
</ul></div>
<p class="p">The certificates must be uploaded to the Mediatrix units. They define how a Mediatrix unit
will certify the remote host in order to mark it as secure and suitable for a TLS connection.
If the Mediatrix unit does not trust the remote certificate (i.e. does not authenticate it
with either one of the 3 methods: HostName, trustedCertificate, DnsSrv), then the Mediatrix
unit will not establish the connection.</p>
<div class="p">By default it is not possible to upload a Host certificate without first clicking on Activate
unsecure certificate transfer. This is because the certificate upload will be done in clear
text, which means the private key will be susceptible to interception. Establishing a
connection without certificate validation, i.e. establishing an unsecure connection, should
only be used :<ul class="ul" id="concept_bxv_zxl_ls__ul_cyh_b14_nkb">
<li class="li">for testing purpose,</li>
<li class="li">if one cannot identify the required CA cert, or </li>
<li class="li">the CA cert has mismatched Common Name/Subject Alternate Name. (In this case there is no
fallback, it will fail if the name does not match)</li>
</ul></div>
<div class="p">Certificates are used to secure the following connections:<ul class="ul" id="concept_bxv_zxl_ls__ul_i4n_mbb_br">
<li class="li">SIP</li>
<li class="li">Configuration Web pages</li>
<li class="li">File transfers (scripts, firmwares, etc.) with HTTPS</li>
<li class="li">Configuration using TR-069</li>
<li class="li">Wired Ethernet Authentication with EAP (802.1x) </li>
</ul></div>
<p class="p">One common use of the host certificate is to allow HTTPS Web access to the unit (which in
this case, the device is the TLS server). For more details refer to the <a class="xref" href="https://documentation.media5corp.com/display/DGWLATEST/Creating+a+Media5+Device+Host+Certificate+with+OpenSSL" target="_blank">Technical Bulletins - Creating a Media5 Host Certificate with
Open SSL</a> document on the <a class="xref" href="https://documentation.media5corp.com/" target="_blank">Media5 Documentation Portal</a>.</p>
</div>
<hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic task nested1" aria-labelledby="ariaid-title2" id="task_fqx_v1m_ls">
<h2 class="title topictitle2" id="ariaid-title2">Importing a Trusted CA or SIP Server Certificate through the Web Page</h2>
<div class="body taskbody">
<section class="section prereq"><div class="tasklabel"><strong class="sectiontitle tasklabel">Before you begin</strong></div>You must have an SNTP server for time tracking.</section>
<section><div class="tasklabel"><strong class="sectiontitle tasklabel">Steps</strong></div><ol class="ol steps"><li class="li step stepexpand">
<span class="ph cmd">Go to <span class="keyword wintitle">Management</span>/<span class="keyword wintitle">Certificates</span>.</span>
</li><li class="li step stepexpand">
<span class="ph cmd">Click<span class="keyword wintitle">Activate unsecure certificate
transfer</span>.</span>
</li><li class="li step stepexpand">
<span class="ph cmd">In the <span class="keyword wintitle">Certificate Import Through Web
Browser</span> table, from the <span class="keyword wintitle">Type</span> selection list, select <span class="keyword wintitle">Other</span>.</span>
</li><li class="li step stepexpand">
<span class="ph cmd">Click <span class="keyword wintitle">Browse</span> and
select your certificate.</span>
<div class="itemgroup info">
<div class="note note note_note"><span class="note__title">Note:</span> The name of the certificate cannot have more than 50 characters. </div>
</div>
</li><li class="li step stepexpand">
<span class="ph cmd">Click <span class="keyword wintitle">Import</span>.</span>
</li><li class="li step stepexpand">
<span class="ph cmd">Click <span class="keyword wintitle">Apply</span>. </span>
</li><li class="li step stepexpand">
<span class="ph cmd">Click <span class="ph uicontrol">restart required services</span>
located at the top of the page. </span>
</li></ol></section>
<section class="section result"><div class="tasklabel"><strong class="sectiontitle tasklabel">Result</strong></div>
<br><img class="image" id="task_fqx_v1m_ls__image_e3w_dbj_ybb" src="https://documentation.media5corp.com/download/attachments/45482024/Certificates_CaCertificate2.png" width="800"><br>
<div class="note note note_note"><span class="note__title">Note:</span> Make sure to associate the certificate to the appropiate service. If you are using
SBC service, only 1 certificate should be associated to it.</div>
</section>
</div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic task nested1" aria-labelledby="ariaid-title3" id="unique_10185599911066372796">
<h2 class="title topictitle2" id="ariaid-title3">Importing a Host Certificate through the Web Page</h2>
<div class="body taskbody">
<section class="section prereq"><div class="tasklabel"><strong class="sectiontitle tasklabel">Before you begin</strong></div>You must have an SNTP server for current date and time.</section>
<section><div class="tasklabel"><strong class="sectiontitle tasklabel">Steps</strong></div><ol class="ol steps"><li class="li step stepexpand">
<span class="ph cmd">Go to <span class="keyword wintitle">Management</span>/<span class="keyword wintitle">Certificates</span>.</span>
</li><li class="li step stepexpand">
<span class="ph cmd">Click <span class="keyword wintitle">Activate unsecure certificate
transfer</span>.</span>
</li><li class="li step stepexpand">
<span class="ph cmd">From the <span class="keyword wintitle">Type</span>
selection list, select <span class="keyword wintitle">Host</span>.</span>
</li><li class="li step stepexpand">
<span class="ph cmd">Click <span class="keyword wintitle">Browse</span> and
select the Host certificate.</span>
</li><li class="li step stepexpand">
<span class="ph cmd">Click <span class="keyword wintitle">Apply</span></span>
</li><li class="li step stepexpand">
<span class="ph cmd">In the <span class="keyword wintitle">Host Certificate Associations</span>
table, select the services that Host Certificate should be associated
with.</span>
<div class="itemgroup info">
<div class="note note note_note"><span class="note__title">Note:</span> A Host certificate is by default associated with all services. Several
Host Certificates can be imported and associated with one or several
services.</div>
</div>
</li><li class="li step stepexpand">
<span class="ph cmd">Click <span class="keyword wintitle">Import</span>.</span>
</li><li class="li step stepexpand">
<span class="ph cmd">Click <span class="keyword wintitle">Apply</span>. </span>
</li></ol></section>
<section class="section result"><div class="tasklabel"><strong class="sectiontitle tasklabel">Result</strong></div>This is an example of the result of a Host Certificate imported and associated with
all services.
<br><img class="image" id="unique_10185599911066372796__image_ash_jhw_1v" src="https://documentation.media5corp.com/download/attachments/45482024/Certificates_HostCertificateImport.png" width="800"><br></section>
</div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic task nested1" aria-labelledby="ariaid-title4" id="unique_3632040091483350662">
<h2 class="title topictitle2" id="ariaid-title4">Importing any Certificate through a Configuration Script</h2>
<div class="body taskbody">
<section class="section context"><div class="tasklabel"><strong class="sectiontitle tasklabel">Context</strong></div>
<p class="p">To use the <span class="keyword cmdname">Cert.InstallCertificate</span> command, the provided content
must be a valid certificate file encoded in Base64.</p>
<p class="p">Under Linux system: <code class="ph codeph">base64 --wrap=0 myCertificate.crt >
myBase64File.txt</code></p>
<p class="p">With OpenSSL tool: <code class="ph codeph">openssl base64 -A -in myCertificate.crt -out
myBase64File.txt</code></p>
</section>
<section><div class="tasklabel"><strong class="sectiontitle tasklabel">Steps</strong></div><ol class="ol steps"><li class="li step stepexpand">
<span class="ph cmd">Prepare the configuration script file with the wanted
<span class="keyword cmdname">Cert.InstallCertificate</span> command line to execute.</span>
<div class="itemgroup info">
<div class="note important note_important"><span class="note__title">IMPORTANT:</span> The <var class="keyword varname">FileContent</var> argument requires the
Base64 encoding of the whole certificate file, including the portions that
may be already in Base64.</div>
<div class="note important note_important"><span class="note__title">IMPORTANT:</span> Double quotes must be used around the Base64 value of the
<var class="keyword varname">FileContent</var> argument.</div>
</div>
<div class="itemgroup stepxmp">
<pre class="pre codeblock"><code>Cert.InstallCertificate
Name="MyCertificate.crt" Type="Host"
FileContent="LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQ
pNSUlFb3dJQkFBS0NBUUVBdXhLRE82Nm9LT2lnY0hRMXIxbG5YTGlRVD
lSMG9Ra0UvcHBPRG85dlhaVnNjOEQ2CnV5RmxkUm9E...RESUtRNUt2V
HYKK2lMZ1FMczltakhBVXJ1TlY5K0pKeDFzcHY4RlpwMD0KLS0tLS1FT
kQgQ0VSVElGSUNBVEUtLS0tLQ=="</code></pre>
</div>
<div class="itemgroup info">
<div class="note note note_note"><span class="note__title">Note:</span> For more details about the <span class="keyword cmdname">Cert.InstallCertificate</span>
command, refer to the <a class="xref" href="https://documentation.media5corp.com/display/DGWLATEST/Reference+Guide" target="_blank">DGW Configuration Guide - Reference
Guide</a> published on the <a class="xref" href="https://documentation.media5corp.com/" target="_blank">Media5 Documentation Portal</a>.</div>
</div>
<div class="itemgroup info">
<div class="note note note_note"><span class="note__title">Note:</span> For more details on size limitation with configuration script file, refer
to the <a class="xref" href="https://documentation.media5corp.com/display/DGWLATEST/Limitations+of+DGW+Platforms" target="_blank">DGW Configuration Guide - Limitations of
DGW Platforms</a> document published on the <a class="xref" href="http://documentation.media5corp.com" target="_blank">Media5 Documentation Portal</a></div>
</div>
</li><li class="li step stepexpand">
<span class="ph cmd">Go to <span class="keyword wintitle">Management</span>/<span class="keyword wintitle">Configuration Scripts</span>/<span class="keyword wintitle">Execute</span>.</span>
</li><li class="li step stepexpand">
<span class="ph cmd">If you are not using HTTPS, click <span class="keyword wintitle">Activate unsecure
file importation from the Web browser</span>. </span>
</li><li class="li step stepexpand">
<span class="ph cmd">In the <span class="keyword wintitle">Upload Script Through Web Browser</span> table, browse to the location of the file you wish to import. </span>
</li><li class="li step stepexpand">
<span class="ph cmd">Click <span class="keyword wintitle">Upload and Execute</span>.</span>
</li></ol></section>
<section class="section result"><div class="tasklabel"><strong class="sectiontitle tasklabel">Result</strong></div>The certificate will be inserted in the <span class="keyword wintitle">Management</span>/<span class="keyword wintitle">Certificates</span> page.</section>
</div>
</article></article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic concept nested0" aria-labelledby="ariaid-title5" id="concept_z45_rl3_bet">
<h1 class="title topictitle1" id="ariaid-title5">Supported Certificate Types and Key Strength</h1>
<div class="body conbody"><p class="shortdesc">DGW supports the following certificate types and key strength for TLS connections:</p>
<ul class="ul" id="concept_z45_rl3_bet__u2l_v2y_xl3_bte">
<li class="li">RSA certificates up to 4096-bit keys</li>
<li class="li">ECDSA certificates with the secp256r1, secp384r1, and secp521r1 curves
<ul class="ul" id="concept_z45_rl3_bet__u2l_v2y_xl3_btee">
<li class="li">ECDSA is supported starting from DGW 47.0</li>
</ul></li>
</ul>
<p class="p"></p>
<p class="p">And the following hashing algorithm:</p>
<ul class="ul" id="concept_z45_rl3_bet__u2l_v2y_xl3_bti">
<li class="li">Up to SHA-512</li>
</ul>
</div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic reference nested0" aria-labelledby="ariaid-title6" id="reference_bh2_vbj_ybb">
<h1 class="title topictitle1" id="ariaid-title6">Trusted CA Certificate Content Example </h1>
<div class="body refbody">
<section class="section">
<pre class="pre codeblock"><code>-----BEGIN CERTIFICATE-----
MIICNTCCAZ6gAwIBAgIJANYsw8F6ocdbMA0GCSqGSIb3DQEBBQUAMEQxEzARBgoJ
kiaJk/IsZAEZFgNjb20xGTAXBgoJkiaJk/IsZAEZFgltZWRpYXRyaXgxEjAQBgNV
BAMTCU1lZGlhNWRldjAeFw0wODA4MzExNzQwMTBaFw0xODA4MzExNzQwMTBaMEQx
EzARBgoJkiaJk/IsZAEZFgNjb20xGTAXBgoJkiaJk/IsZAEZFgltZWRpYXRyaXgx
EjAQBgNVBAMTCU1lZGlhNWRldjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
3TJm6UbpfidGJ/kURz3/kwr8lOLY+Fe28O/Iq9Klq5m5G0NEbl8aF3+EbSPTV8GU
YlnzXdHHrAVDP5f3gPJU2+obWxbmQSlqvjx6QdxAhNcGTdPv7UGatQapCmQe1/Ct
2qtlqXrxG/bTPv+Vt/WKPmFEA+hjkVJ1hQgQLAUpD2MCAwEAAaMvMC0wDAYDVR0T
BAUwAwEB/zAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcN
AQEFBQADgYEALhFUmWUROV7UTf/Zy3hmZDWyjd8YcuAkb+TrdvK7yHJHTqC0DdvB
L10REHz6Ch7WCiydR8JLj0fAK+kXGYj9VdWj+qvlTnV4PBEvNzA3bbHBqVoOupJM
aDT7atCeNRJ8ipcy7MHN00FRbEW0XKhwnDxQnX2tz0myAeAnDHe5bsQ=
-----END CERTIFICATE-----</code></pre>
</section>
</div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic reference nested0" aria-labelledby="ariaid-title7" id="reference_j4g_nbv_gfb">
<h1 class="title topictitle1" id="ariaid-title7">Online Help</h1>
<p class="shortdesc"><span class="ph">If you are not familiar with the meaning of the fields and
buttons, click <span class="keyword wintitle">Show Help</span>, located at the upper right corner of
the Web page. When activated, the fields and buttons that offer online help will
change to green and if you hover over them, the description will bedisplayed.</span></p>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic concept nested0" aria-labelledby="ariaid-title8" id="concept_v4k_q3h_1r">
<h1 class="title topictitle1" id="ariaid-title8">DGW Documentation</h1>
<div class="body conbody"><p class="shortdesc">Mediatrix devices are supplied with an exhaustive set of documentation. </p>
<p class="p">Mediatrix user documentation is available on the <a class="xref" href="http://documentation.media5corp.com" target="_blank">Media5 Documentation
Portal</a>.</p>
<div class="p">Several types of documents were created to clearly present the information you are looking for.
Our documentation includes:<ul class="ul" id="concept_v4k_q3h_1r__ul_bqy_cjh_1r">
<li class="li"><strong class="ph b">Release notes</strong>: Generated at each GA release, this document includes the known and
solved issues of the software. It also outlines the changes and the new features the release
includes.</li>
<li class="li"><strong class="ph b">Configuration notes</strong>: These documents are created to facilitate the configuration of a
specific use case. They address a configuration aspect we consider that most users will need to
perform. However, in some cases, a configuration note is created after receiving a question
from a customer. They provide standard step-by-step procedures detailing the values of the
parameters to use. They provide a means of validation and present some conceptual information.
The configuration notes are specifically created to guide the user through an aspect of the
configuration. </li>
<li class="li"><strong class="ph b">Technical bulletins</strong>: These documents are created to facilitate the configuration of a
specific technical action, such as performing a firmware upgrade.</li>
<li class="li"><strong class="ph b">Hardware installation guide</strong>: They provide the detailed procedure on how to safely and
adequately install the unit. It provides information on card installation, cable connections,
and how to access for the first time the Management interface.</li>
<li class="li"><strong class="ph b">User guide</strong>: The user guide explains how to customise to your needs the configuration
of the unit. Although this document is task oriented, it provides conceptual information to
help the user understand the purpose and impact of each task. The User Guide will provide
information such as where and how TR-069 can be configured in the Management Interface, how to
set firewalls, or how to use the CLI to configure parameters that are not available in the
Management Interface.</li>
<li class="li"><strong class="ph b">Reference guide</strong>: This exhaustive document has been created for advanced users. It
includes a description of all the parameters used by all the services of the Mediatrix units.
You will find, for example, scripts to configure a specific parameter, notification messages
sent by a service, or an action description used to create Rulesets. This document includes
reference information such as a dictionary, and it does not include any step-by-step
procedures. </li>
</ul></div>
</div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic concept nested0" aria-labelledby="ariaid-title9" id="concept_fqm_rv4_k4">
<h1 class="title topictitle1" id="ariaid-title9">Copyright Notice</h1>
<div class="body conbody"><p class="shortdesc">Copyright © 2022 Media5 Corporation.</p>
<p class="p">This document contains information that is proprietary to Media5 Corporation.</p>
<p class="p">Media5 Corporation reserves all rights to this document as well as to the Intellectual Property
of the document and the technology and know-how that it includes and represents.</p>
<p class="p">This publication cannot be reproduced, neither in whole nor in part, in any form whatsoever,
without written prior approval by Media5 Corporation.</p>
<p class="p">Media5 Corporation reserves the right to revise this publication and make changes at any time
and without the obligation to notify any person and/or entity of such revisions and/or
changes.</p>
</div>
</article></article></main></body></html> |
