Versions Compared

Old Version 7

changes.mady.by.user Baremans, Eric

Saved on

compared with

New Version 8

changes.mady.by.user Baremans, Eric

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Section
Panel
titleColor#F85404
titleBGColor#F0F0F0
titleIntroduction

The N870 has default from the factory Client certificates installed on the device.

The Factory installed Client certificates can be found here:

Code Block
/config/ssl/gigaset_factory_cert.pem
/config/ssl/gigaset_factory_key.pem


How to check the CN:

There are 2 types of client certificates possible:

  • CN = Einstein2
  • CN = <MAC address> of the device example: CN = 7C2F80C6E5C2

The correct client certificate will have CN = <MAC address>

You can the check the CN using the following openssl command. (Executed You can execute this on the Nx70 (CLI access) or on external Linux PC, replace IP address with the IP address of your Nx70)

Code Block
openssl s_client -showcerts -connect 192.168.178.192:5061 2>/dev/null | grep -A3 "Server certificate"

Server certificate
subject=C = DE, ST = DE, L = Bocholt, O = Gigaset Communications GmbH, OU = PRO, CN = Einstein2

issuer=C = DE, ST = Germany, L = Bocholt, O = Gigaset Communications GmbH, OU = Certificate Authority, CN = Gigaset.net

Other example:

openssl s_client -showcerts -connect 192.168.178.190:5061 2>/dev/null | grep -A3 "Server certificate"

Server certificate
subject=C = DE, ST = Germany, L = Bocholt, O = Gigaset Communications GmbH, CN = 7C2F80C6E5C2

issuer=C = DE, ST = Germany, L = Bocholt, O = Gigaset Communications GmbH, OU = Certificate Authority, CN = Gigaset.net
Info

If you have an certificate with CN=Einstein2 and would need a new certificate, you can request this from Gigaset support.

Panel
titleColor#F85404
titleBGColor#F0F0F0
titleWeb-interface

The Client certificates can be uploaded from the web-interface, go to: SETTINGS - Telephony - VoIP.

Panel
titleColor#F85404
titleBGColor#F0F0F0
titleAuto-provisioning

<?xml version="1.0" encoding="UTF-8"?>
<provisioning version="1.1" productID="e2">

<firmware>

</firmware>

<nvm>

</nvm>

<custom>

<step type="certificate" url="<URL to certificate>" key="<URL to Private key>" flags="CLIENT_CERT" />

</custom>

</provisioning>


Panel
titleColor#F85404
titleBGColor#F0F0F0
titleHow to generate Client certificates

You can generate your own Client certificates on the N870 CLI if you have no access to a Linux machine.

To create self-signed client certificate you have to follow the instructions below. If you have own CA you can skip the first step.
1. Generate CA certificate and key:

Code Block
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt

and follow the on-screen instructions.


2. Generate Client Key, Certificate Signing Request, and Signed Client Certificate:

Code Block
openssl genrsa -des3 -out N870.key 4096
openssl req -new -key N870.key -out N870.csr
openssl x509 -req -days 365 -in N870.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out N870.crt
openssl rsa -in N870.key -out N870_key.pem


As Common Name you can put the MAC address of the device (with capital letters).

You can download the N870.crt and N870.pem file using WinSCP.

In the WebUI you have to upload N870.crt and N870.pem files.