Category:HowTo:Secure Web Client

From Snom User Wiki

Jump to: navigation, search

Contents

Introduction

The snom phones D3xx, D7xx, 8xx, 7xx and m9 provide individual built-in client certificates, unique for each phone, and having as common name the phone's MAC Address.

snom 3xx phones also provide factory client certificates, but these are not unique. All 3xx phones use the same generic certificate.

Usage

The main use of the snom phone's client certificate is for HTTPS servers to be able to authenticate snom phones. This way, you can provide secure provisioning, by only allowing snom phones, or only certain snom phones (based on MAC address in the common name), to access your provisioning files.

In order to authenticate snom phones using these client certificates you need to install the snom root certification authority on your HTTPS server, which you can find here. See below for an example on how you can install the snom root certification authority in apache .


Storage

The factory provisioned certificates and private-keys will be stored as separate read-only files on the phones and it would not be possible to replace or modify these pre-provisioned files.


Example - configuration on apache

This example was tested on Apache/2.2.9 (Debian). This was a basic configuration in any snom phone was allowed to access any files, provided it authenticates using its built-in certificate.

  • First you need to enable https on your apache server
  • Then, assuming your site is called example.snom.com, please edit your sites-enabled/example.snom.com file to look similar to this:
<VirtualHost *:443>
   
   ..... other settings .....
   SSLEngine on 
   SSLVerifyClient require
   SSLCACertificateFile /etc/apache2/ssl/ca.crt
   SSLVerifyDepth 2
   ..... other settings .....

</VirtualHost>

In the file /etc/apache2/ssl/ca.crt , you must place the snom root certification authority, which you can find here


Known issues

There is a known issue by https firmware updates, if you are using client certificate authorization., for which you will need a small workaround.

The snom root CA is used to derive an intermediary signing authority. This intermediary certificate is used to sign the phone certificates. The intermediary certificate should be provided by the phone during the authentication mechanism, but in some firmware versions there is a bug causing the phone to only send his individual certificate, this breaking the certification chain. For this reason, as workaround instead of ca.crt you should use the file certs.crt that you can download here, which contains several certificates:

  • the snom root CA
  • the intermediary certificate used for the unique phone certificates (snom 8xx, 7xx and m9)
  • the intermediary certificate used for the generic phone certificates (snom 3xx)

This category currently contains no pages or media.

Personal tools
Interoperability