No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CloudEC V600R019C00 Security Maintenance (Enterprise On-premises, Only Conference)

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Replacing the RSE6500 Security Certificate

Replacing the RSE6500 Security Certificate

This section describes how to replace the RSE6500 certificate, including how to apply for a security certificate and replace the certificate.

Prerequisites

Before applying for a certificate, you must create a certificate store file. Then, you can use the certificate store file to apply for a certificate from an official authority.

Background

HTTPS certificate

Generally, each web browser has a root CA certificate. When you replace the built-in certificate with a CA certificate, you do not need to load the root CA certificate.

The RSE6500 has a built-in HTTPS security certificate. To enhance the system security, it is recommended that enterprises follow requirements of an authoritative CA in the industry to set the private key password, to generate a private key, and to apply for and replace the HTTPS security certificate. At the same time, ensure that the private key and private key password are not obtained by unauthorized users.

TLS certificate

Used for the SIP registration and call services. The default certificate is preset in the RSE6500. For security purposes, replace the system default certificate in time.

NOTE:

Compress the root.pem, servercert.pem, serverkey.pem file to a .zip package and upload the package.

Creating a Security Certificate

  1. Use PuTTY to log in to the RSE6500 in SSH mode.

    The user name is administrator, and the default password is Change_Me.

  2. Run the following to go to the root directory.

    shell

    su - root

    cd /

  3. Run the following command to generate the private key file serverkey.pem.

    The default encryption password for the private key is Huawei@123. Replace the password based on the site requirements.

    openssl genrsa -aes256 -out serverkey.pem 2048

    NOTE:
    Set the password of the private key file and ensure the password contains the following information:
    • A string of 8 to 30 characters

    • Lowercase letters (a to z)

    • Uppercase letters (A to Z)

    • Digits (0 to 9)

    • Special characters (_~!@#$%^&*)

    Set the following information as prompted:

    Enter pass phrase for serverkey.pem:  
    #Enter the private key encryption password Huawei@123.  
    Verifying - Enter pass phrase for serverkey.pem:  
    #Enter the private key encryption password Huawei@123 again.

  4. Run the following command to generate the certificate request file server.csr.

    Here, use the same private key encryption password Huawei@123 that you have set.

    openssl req -new -key serverkey.pem -out server.csr -sha256

    Set the following information as prompted:

    Enter pass phrase for serverkey.pem:
    #Enter the private key encryption password Huawei@123.
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:CN
    # Here, CN is used as an example. Set this parameter based on the site requirements. For example, you can set this parameter to UK.
    State or Province Name (full name) [Some-State]:zhejiang
    # Here, zhejiang is used as an example. Set this parameter based on the site requirements. For example, you can set this parameter to beijing.
    Locality Name (eg, city) []:hz
    # Here, hz is used as an example. Set this parameter based on the site requirements. For example, you can set this parameter to London.
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:huawei
    # Here, huawei is used as an example. Set this parameter based on the site requirements. For example, you can set this parameter to bank.
    Organizational Unit Name (eg, section) []:huawei
    # Here, huawei is used as an example. Set this parameter based on the site requirements. For example, you can set this parameter to bank.
    Common Name (eg, YOUR name) []:Joy
    # Enter the domain name of the company that issues the certificate. Here, Joy is used as an example. 
    Email Address []:111111.com
    # Enter an email address. Here, 111111.com is used as an example.
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    # Enter the certificate password and the name of the company that issues the certificate. Here Huawei@123 and huawei are used as examples.
    A challenge password []:Huawei@123
    An optional company name []:huawei

  5. Send the certificate request file server.csr to a certificate maker to apply for a public key certificate. Name the obtained public key certificate file servercert.pem.

    Run the cat command to obtain the content of the server.csr file and save the content in files with the same names and extensions to the local server.

  6. Obtain the certificate.

    • HTTPS certificate: Use the text editor copy the text of the servercert.pem file and serverkey.pem file in sequence and save the file in .pem format.
    • TLS certificate: Compress the obtained root.pem, servercert.pem, and serverkey.pem files into a .zip package.

Importing the HTTPS Certificate

  1. Log in to the RSE6500 web interface.
  2. Choose System > System Settings > Import > HTTPS.

    Figure 7-17 Importing the HTTPS Certificate

  3. Click Browse to select a .pem certificate file.
  4. Click Upload.
  5. Set the Private key.
  6. Click Deploy.

    Restart the RSE6500 as required.

Importing the TLS Certificate

  1. Log in to the RSE6500 web interface.
  2. Choose System > System Settings > Import > TLS.

    Figure 7-18 Importing the TLS Certificate

  3. Set the Certificate password.
  4. Click Browse and select the .zip certificate packing file.
  5. Click Upload.

    Restart the RSE6500 as required.

Verification

After all the preceding operations are completed, the web interface of the RSE6500 can be accessed.

Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100059091

Views: 16920

Downloads: 9

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next