Mitel Deutschland GmbH 68635RFP36U-01 用户手册
SIP-DECT OM System Manual
256
7.10 CONSOLIDATED CERTIFICATE MANAGEMENT
SIP-DECT has various secured interfaces to support secure connections for file imports from local
servers or provisioning servers. By default, the OMM Web server uses the hardcoded self-signed OMM
certificate as local certificate for encrypted AXI connections, for provisioning (mutual authentication), and
for SIP-over-TLS connections.
servers or provisioning servers. By default, the OMM Web server uses the hardcoded self-signed OMM
certificate as local certificate for encrypted AXI connections, for provisioning (mutual authentication), and
for SIP-over-TLS connections.
Certificate and authentication validation settings for these secure connections can be inherited from the
configuration file URL (see section 7.8.1).
configuration file URL (see section 7.8.1).
7.10.1 SIP OVER TLS CERTIFICATES
SIP over TLS certificates are used for secure SIP connections. The hard coded self-signed OMM
certificate is used by default, however you can import trusted certificates, a local certificate chain and a
private key file (optionally password-protected) via:
certificate is used by default, however you can import trusted certificates, a local certificate chain and a
private key file (optionally password-protected) via:
•
OMP (
System -> SIP -> Security tab)
•
OMM Web service (
System -> SIP -> Security)
•
a certificate server (usually running on a Mitel call server)
7.10.2 OMM CERTIFICATE (WEB SERVICE / AXI)
The OMM Web server uses the hard coded self-signed OMM certificate by default as the local certificate
for encrypted AXI connections.
for encrypted AXI connections.
You can overwrite the hard coded OMM certificate by importing a local certificate chain and a private key
file (optionally password-protected) via the OMP (
file (optionally password-protected) via the OMP (
System -> Advanced settings -> OMM Certificate
tab). You can also configure an OMM certificate server (
System -> Advanced settings -> OMM
Certificate server tab) to enable provisioning of OMM certificate files.
The OMM certificate will be used for incoming AXI and HTTPS connections to the OMM services. If the
OMM can be reached from the internet by a domain and an appropriate CA certificate has been
imported, no security warnings are displayed in web browsers trusting the CA root certificate.
The OMM certificate will be used for incoming AXI and HTTPS connections to the OMM services. If the
OMM can be reached from the internet by a domain and an appropriate CA certificate has been
imported, no security warnings are displayed in web browsers trusting the CA root certificate.
7.10.3 PROVISIONING CERTIFICATES
Provisioning certificates are used for secure connections to configuration or firmware file servers with
support for mutual authentication (i.e., for FTP, FTPS, and HTTPs protocols).
support for mutual authentication (i.e., for FTP, FTPS, and HTTPs protocols).
The OMM uses a trusted certificate chain to validate the server. This is required if the server has no
certificate derived from a trusted CA root certificate, where the OMM uses the Mozilla CA Certificate List.
If no server certificate is available, you can disable the validation against trusted and CA certificates.
certificate derived from a trusted CA root certificate, where the OMM uses the Mozilla CA Certificate List.
If no server certificate is available, you can disable the validation against trusted and CA certificates.
By default, the hard-coded self-signed OMM certificate is used for mutual authentication. You can
overwrite the hard coded OMM certificate by importing trusted certificates, a local certificate chain and a
private key file (optionally password-protected) via:
overwrite the hard coded OMM certificate by importing trusted certificates, a local certificate chain and a
private key file (optionally password-protected) via:
•
OMM Web service
System -> Provisioning -> Certificates page (see section 5.4.2.5)
•
OMP
System -> Provisioning -> Provisioning Certificates tab (see section 6.5.5.2)