No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CloudEC V600R019C00 Security Maintenance (Enterprise On-premises, Only Conference)

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Replacing the VP9600 Series MCU Security Certificate(V600R019C00)

Replacing the VP9600 Series MCU Security Certificate(V600R019C00)

Prerequisites

  • The certificate contains the root certificate (root.pem), server certificate (sservercert.pem), private key (serverkey.pem), and private key password. The private key password must be set when the certificate is imported.
  • Compress the root.pem, servercert.pem, and serverkey.pem files into a ZIP package.

Context

Generally, each web browser has a root CA certificate. When you replace the built-in certificate with a CA certificate, you do not need to load the root CA certificate.

  • The MCU has a built-in security certificate. To enhance the system security, it is recommended that an enterprise replace the security certificate with the server certificate and private key issued by an authoritative CA in the industry. At the same time, ensure that the server certificate and private are not obtained by unauthorized users.
  • To enhance security, periodically update the system certificate.

Creating a Security Certificate

  1. Log in to the Linux operating system as the root user. Ensure that the OpenSSL tool has been installed in the Linux operating system.
  2. Go to a specific directory.
  3. Run the following command to generate the private key file serverkey.pem.

    The default encryption password for the private key is Huawei@123. Replace the password based on the site requirements.

    openssl genrsa -aes256 -out serverkey.pem 2048

    Set the following information as prompted:

    Enter pass phrase for serverkey.pem: 
    #Enter the private key encryption password Huawei@123. 
    Verifying - Enter pass phrase for serverkey.pem: 
    #Enter the private key encryption password Huawei@123 again. 
  4. Run the following command to generate the certificate request file server.csr.

    Here, use the same private key encryption password Huawei@123 that you have set.

    openssl req -new -key serverkey.pem -out server.csr -sha256

    Set the following information as prompted:

    Enter pass phrase for serverkey.pem:
    #Enter the private key encryption password Huawei@123.
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:CN
    # Here, CN is used as an example. Set this parameter based on the site requirements. For example, you can set this parameter to UK.
    State or Province Name (full name) [Some-State]:zhejiang
    # Here, zhejiang is used as an example. Set this parameter based on the site requirements. For example, you can set this parameter to beijing.
    Locality Name (eg, city) []:hz
    # Here, hz is used as an example. Set this parameter based on the site requirements. For example, you can set this parameter to London.
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:huawei
    # Here, huawei is used as an example. Set this parameter based on the site requirements. For example, you can set this parameter to bank.
    Organizational Unit Name (eg, section) []:huawei
    # Here, huawei is used as an example. Set this parameter based on the site requirements. For example, you can set this parameter to bank.
    Common Name (eg, YOUR name) []:Joy
    # Here, Joy is used as an example. The parameter is user-defined.
    Email Address []:111111.com
    # Enter an email address. Here, 111111.com is used as an example.
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    # Enter the certificate password and the name of the company that issues the certificate. Here Huawei@123 and huawei are used as examples.
    A challenge password []:Huawei@123
    An optional company name []:huawei
  5. Send the certificate request file server.csr to a certificate maker to apply for a public key certificate. Name the obtained public key certificate file servercert.pem. Name the public key of the certificate making company as root.pem.
  6. Compress the obtained the servercert.pem file, root.pem file, serverkey.pem file, and private key encryption password into a .zip package and name the package certificate. This package is the certificate to be imported on the web interface.

Replacing the Original Certificate

  1. Log in to the VP9600 MCU web interface.
  2. Choose Maintenance > Import.

    The page is displayed, as shown in Figure 7-16.

    Figure 7-16 Importing System certificate
    NOTE:

    To secure its certificate, its private key must meet complexity requirements.

  3. Input Certificate password, click Select File, upload the ZIP package, and click Import.
  4. After the certificate is imported, restart the MCU as prompted.

Verification

After all the preceding operations are completed, TLS connections with the SMC and SIP server can be set up.

Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100059091

Views: 16389

Downloads: 9

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next