2. Table of Contents
Public Key Infrastructure (PKI) & Certificates...................................................................................................2
Trusted Certificate versus Identity Certificate .................................................................................................2
Secure Communication via TLS ........................................................................................................................2
Certificate Based Key Exchange........................................................................................................................3
Workflow for Certificates.................................................................................................................................3
System Manager as a Certificate Authority (CA)..............................................................................................4
Certificate Generation Capabilities in SMGR....................................................................................................4
3. Public Key Infrastructure (PKI) & Certificates
Certificates bind an identity to a public key.
The Certificate Authority (CA) is a trusted third party, responsible for verifying the identity of a user
and issuing a tamper resistant digital certificate for applicants.
The digital certificate is digitally signed data stating that the public-key included in the certificate
belongs to the user identified by the certificate. – The certificate signature is created by the issuing CA and
can only be validated with the issuing CA certificate.
– The signature is a hash of the certificate content which has been encrypted using the issuer’s private
key.
– The issuer’s public key must be used to decrypt the signature to extract the hash.
Trusted Certificate versus Identity Certificate
Identity Certificate and Trusted Certificate are two terms to distinguish the role of a certificate.
Identity Certificate is a certificate used to identify an application, an interface, or a device. An identity
certificate is presented to the far end as a TLS connection is being established in order to identify the
sender of this certificate.
Trusted certificate is used by the local system to verify the authenticity of an identity certificate received
from the far end on a TLS setup.
Secure Communication via TLS
All communications between the client and the servers in the Avaya Aura environment can be secured
using Transport Layer Security (TLS) protocol.
In TLS, servers are configured with an identity certificate issued by a certificate authority. – When
clients connect to servers, the server presents its identity certificate for the client to validate.
– The client checks whether the server identity certificate was issued by a certificate authority that the
client trusts.
– If the validation succeeds, a secure connection is established.
4. Certificate Based Key Exchange
Workflow for Certificates
1. Ensure that the certificate authority (CA) issuing identity certificates is trusted throughout the network.
2. Generate Certificate Signing Requests (CSR) for each server´s certificate.
3. Get the CSR´s signed by the CA.
4. On each server, install the new server identity certificate.
5. System Manager as a Certificate Authority (CA)
System Manager is by default a Root CA (self-signed root certificate) or can be setup as a Sub-CA (from
a Third-Party Certificate Authority).
Uses a third-party open source application, Enterprise Java Beans Certificate Authority (EJBCA) to issue
identity and trusted certificates to applications through Simple Certificate Enrollment Protocol (SCEP).
System Manager Trust Management provisions and manages certificates of various applications, such
as servers and devices, enabling the applications to have secure inter-element communication
System Manager generates Certificates using SHA2 as the signing algorithm and 2048 as the default
key size.
Certificate Generation Capabilities in SMGR
1. Generate a PKCS12 format keystore with the Identity certificate containing the values given in the end
entity. a. Generating a PKCS#12 file including a signed certificate and private key directly from the SMGR
UI.
b. For Products with PKCS#12 keystore import functionality.
2. Sign the given CSR and generate a PEM formatted certificate containing the values given in the end
entity. a. Creating a signed certificate directly from the SMGR UI using a CSR.
b. For Products generating the keys on their end and having the Certificate signed by the SMGR CA.