802.1x Zertifikate

802.1x_Certificates

Hier sind die Anforderungen für Zertifikate zusammengefasst, die für die 802.1x-Authentifizierung von optiPoint- und OpenStage-Telefonen zum Einsatz kommen.

1. Grundsätzliche Eckdaten zu 802.1x Zertifikaten

 * Der Verwendungszweck muss "Client Authentication" sein.
 * Der Einsatzzweck ist "Signatur und Verschlüsselung".
 * Typ ist X.509-Zertifikat, Version: 3.
 * Die Algorithmusklasse für den privaten Schlüssel ist: 0xa000(5) ALG_CLASS_KEY_EXCHANGE
 * Standardmäßig wird sha1RSA verwendet, es kann aber auf diverse andere Algorithmen zurückgegriffen werden, sofern diese Algorithmen von OpenSSL und z.B. Win2003 unterstützt werden.
 * Aus DLS-Sicht sind beliebige X.509 V3 Zertifikate möglich. Einzige Einschränkung ist die Größe (max ca. 7kB).

Phone-Zertifikat

 * X509v3 Extended Key Usage: Client Authentication
 * RSA Public Key: (1024 bit) bei Optipoint, (2048 bit) bei OpenStage

RADIUS-Zertifikat

 * RSA Public Key: (2048 bit)
 * X509v3 extensions:
 * X509v3 Key Usage: critical, Digital Signature, Key Encipherment, Key Agreement, Certificate Sign
 * X509v3 Extended Key Usage: Server Authentication, Client Authentication

SubCA-Zertifikat

 * RSA Public Key: (2048/4096 bit)
 * X509v3 extensions:
 * X509v3 Basic Constraints: critical, CA:TRUE
 * X509v3 Key Usage: critical, Digital Signature, Certificate Sign, CRL Sign

RootCA-Zertifikat

 * RSA Public Key: (2048/4096 bit)
 * X509v3 extensions:
 * X509v3 Basic Constraints: critical, CA:TRUE
 * X509v3 Key Usage: critical, Digital Signature, Certificate Sign, CRL Sign

2. Rules for logon names

 * The certificate element "CommonName" must meet the requirements of Microsoft's "Rules of Logon Names" (e.g. http://technet.microsoft.com/en-us/library/bb726984.aspx) respectively UPN (User Principal Names)(MS Windows Server 2003, Internet Authentication Service (IAS) Operation Guide)
 * Logon names must follow these rules
 * Local logon names must be unique on a workstation and global logon names must be unique throughout a domain.
 * Logon names can be up to 104 characters. However, it isn't practical to use logon names that are longer than 64 characters.
 * A Microsoft Windows NT version 4.0 or earlier logon name is given to all accounts, which by default is set to the first 20 characters of the Windows 2000 logon name. The Windows NT version 4.0 or earlier logon name must be unique throughout a domain.
 * Users logging on to the domain from Windows 2000 computers can use their Windows 2000 logon name or their Windows NT version 4.0 or earlier logon name, regardless of the domain operations mode.#
 * Logon names can't contain certain characters. Invalid characters are " / \ [ ] : ; | =, + * ? < >
 * Logon names can contain all other special characters, including spaces, periods, dashes, and underscores. But it's generally not a good idea to use spaces in account names.
 * Certificates on Wired Client Computers: For the user and computer certificates installed on wired client computers, the following must be true
 * They must have a corresponding private key.
 * They must contain the Client Authentication EKU (OID "1.3.6.1.5.5.7.3.2")
 * Computer certificates must be installed in the Local Computer certificate store.
 * Computer certificates must contain the FQDN of the wired client computer account in the Subject Alternative Name property.
 * User certificates must be installed in the Current User certificate store.
 * User certificates must contain the user principal name (UPN) of the user account in the Subject Alternative Name property.

3. Unterschiede zwischen optiPoint und OpenStage

 * optiPoint SIP/HFA:
 * Phone-Zertifikat (Zertifikatskette + priv. Key in PKCS#12 Container)
 * RootCA-Zertifikat (= public Key = erstes Glied der RADIUS-Zertifikatskette) oder
 * RADIUS-Zertifikat (= public Key des RADIUS-Zertifikates)
 * Key Size: 1024 Bit
 * OpenStage SIP/HFA:
 * Phone-Zertifikat (Zertifikatskette + priv. Key in PKCS#12 Container)
 * RootCA-Zertifikat (= public Key = erstes Glied der RADIUS-Zertifikatskette)
 * Key Size: max. 2048 Bit, sollte aber aus Gründen der Kompatibilität zum optiPoint auf 1024 Bit beschränkt werden.