For extra security, you may want to have the Expressway communicate with other systems (such as LDAP servers, neighbor Expressways,
or clients such as SIP endpoints and web browsers) using TLS encryption.
For this to work successfully in a connection between a client and server:
-
The server must have a certificate installed that verifies its identity. The certificate must be signed by a Certificate Authority
(CA).
-
The client must trust the CA that signed the certificate used by the server.
The Expressway lets you install a certificate that can represent the Expressway as either a client or a server in connections
using TLS. The Expressway can also authenticate client connections (typically from a web browser) over HTTPS. You can also
upload certificate revocation lists (CRLs) for the CAs used to verify LDAP server and HTTPS client certificates.
The Expressway can generate server certificate signing requests (CSRs). This removes the need to use an external mechanism
to generate certificate requests.
For secure communications (HTTPS and SIP/TLS), we recommend that you replace the Expressway default certificate with a certificate
generated by a trusted certificate authority.
Table 1. Expressway Role in Different Connection Types
In connections...
|
The Expressway acts as...
|
To an endpoint
|
TLS server.
|
To an LDAP server.
|
Client.
|
Between two Expressway systems.
|
Either Expressway may be the client. The other Expressway is the TLS server.
|
Over HTTPS.
|
Web browser is the client. Expressway is the server.
|
TLS can be difficult to configure. For example, when using it with an LDAP server we recommend verifying that the system works
correctly over TCP, before you attempt to secure the connection with TLS. We also recommend using a third-party LDAP browser
to verify that your LDAP server is correctly configured for TLS.
Note |
Be careful not to allow your CA certificates or CRLs to expire. This may cause certificates signed by those CAs to be rejected.
|
To load the trusted CA list, go to
.
To generate a CSR and/or upload the Expressway's server certificate, go to
.
Additional server certificate requirements apply when configuring your Expressway system for Unified Communications. For full
information, see Expressway Certificate Creation and Use Deployment Guide on the Expressway Configuration Guides page.