No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CloudEC V600R019C00 Security Maintenance (Enterprise On-premises, Only Conference)

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Replacing the VP9600 Series MCU Security Certificate(V500R002C10)

Replacing the VP9600 Series MCU Security Certificate(V500R002C10)

Prerequisites

The server certificate and private key have been obtained by the CA.

The MCU has a built-in security certificate. To enhance the system security, it is recommended that an enterprise replace the security certificate with the server certificate and private key issued by an authoritative CA in the industry. At the same time, ensure that the server certificate and private are not obtained by unauthorized users.

Context

VP9000 series MCUs have four types of security certificates. Before importing a type of certificate, create a folder named certificate and compress the folder to certificate.zip. Each type of folder contains the following content:

  • SIP certificate:
    • lync-root.pem
    • lync-server.pem
    • lync-private-key.pem
    • lync-private-key-password.txt
  • Browser certificate: Generally, each web browser has a root CA certificate. When you replace the built-in certificate with a CA certificate, you do not need to load the root CA certificate and only load the certificate onto the MCU.
    • ssl-root.pem
    • ssl-server.pem
    • ssl-private-key.pem
    • ssl-key-password.txt
  • FTPS certificate: ftp-root.pem
  • Email certificate: smtp-root.pem

Creating a Security Certificate

  1. Log in to the Linux operating system as the root user. Ensure that the OpenSSL tool has been installed in the Linux operating system.
  2. Go to a specific directory.
  3. Run the following command to generate the private key file serverkey.pem.

    The default encryption password for the private key is Huawei@123. Replace the password based on the site requirements.

    openssl genrsa -aes256 -out serverkey.pem 2048

    Set the following information as prompted:

    Enter pass phrase for serverkey.pem: 
    #Enter the private key encryption password Huawei@123. 
    Verifying - Enter pass phrase for serverkey.pem: 
    #Enter the private key encryption password Huawei@123 again. 
  4. Run the following command to generate the certificate request file server.csr.

    Here, use the same private key encryption password Huawei@123 that you have set.

    openssl req -new -key serverkey.pem -out server.csr -sha256

    Set the following information as prompted:

    Enter pass phrase for serverkey.pem:
    #Enter the private key encryption password Huawei@123.
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:CN
    # Here, CN is used as an example. Set this parameter based on the site requirements. For example, you can set this parameter to UK.
    State or Province Name (full name) [Some-State]:zhejiang
    # Here, zhejiang is used as an example. Set this parameter based on the site requirements. For example, you can set this parameter to beijing.
    Locality Name (eg, city) []:hz
    # Here, hz is used as an example. Set this parameter based on the site requirements. For example, you can set this parameter to London.
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:huawei
    # Here, huawei is used as an example. Set this parameter based on the site requirements. For example, you can set this parameter to bank.
    Organizational Unit Name (eg, section) []:huawei
    # Here, huawei is used as an example. Set this parameter based on the site requirements. For example, you can set this parameter to bank.
    Common Name (eg, YOUR name) []:Joy
    # Here, Joy is used as an example. The parameter is user-defined.
    Email Address []:111111.com
    # Enter an email address. Here, 111111.com is used as an example.
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    # Enter the certificate password and the name of the company that issues the certificate. Here Huawei@123 and huawei are used as examples.
    A challenge password []:Huawei@123
    An optional company name []:huawei
  5. Send the certificate request file server.csr to a certificate maker to apply for a public key certificate. Name the obtained public key certificate file servercert.pem. Name the public key of the certificate making company as root.pem. If the certificate making company returns a certificate in .p7b format or another format, convert it into the .pem format, see Table 7-2.
  6. Compress the obtained the servercert.pem file, root.pem file, serverkey.pem file, and private key encryption password into a .zip package and name the package certificate. This package is the certificate to be imported on the web interface.
    NOTE:

    The names of the security certificate and private key encryption password file are the same as those in Context.

Replacing the Original Certificate

  1. Log in to the MCU web interface.
  2. Choose Settings > Maintenance > Import.

    The Import tab page is displayed, as shown in Figure 7-15.

    Figure 7-15 Import

    NOTE:

    To secure its certificate, its private key must meet complexity requirements.

  3. In Import, select SSL certificate, click to select the certificate.zip in File path and then click Import.
  4. Restart the MCU as required.

Verification

After all the preceding operations are completed, the web interface of the VP9000 series MCU can be accessed.

Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100059091

Views: 16825

Downloads: 9

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next