I have a 3rd party vendor is replacing our phone service and we are migrating to all SIP communication. We currently have TCP lines set up with the new provider and everything is working as expected, however, we will need to migrate to using TLS next. I assume this is as simple as importing and signing the 3rd party cert on the TLS tab in the Lines Tab of the CIC, but I have been told by the vendor i cannot use the self signed certs created in the CIC (the existing line certs.)  My assumption is once I acquire a Cert from our Cert provider, I can import and use that cert, however, I have read on the forums that I want to stick with my self signed certs the CIC and other systems are currently using, not try and replace all the certs in the system.

Please let me know if I seem to have this right, and if you know any 'gotcha' issues I should be aware of.

As always, thanks for the help in advance.
#AskMeAnything(AMA)
#Security
#SIP/VolP
#Telephony
#Unsure/Other

------------------------------
Christopher Becker
State of Michigan - Oakland County - WRC
------------------------------

This depends what you want to secure. Only the SIP line to the carrier? Or are you using SIP Hardphones (e.g. Polycom ode Audiocodes) for the agents which also need the certificate? Or are you using the CIC SIP softphones and they must also get a new certificate?
Only replacing the certificate for the SIP line (trunk) to the carrier is simple, especially if you use "always in" as audio path. But it is nearly impossible to persuade the SIP softphone to use a 3rd party certificate.
From my opinion it is a bad idea to connect the CIC directly to the carrier. You should use a Session Border Controller between. This helps you with some configuration issues like "RTCP Mux" and "RTCP Feedback".
And then you can change the certificate on the SBC and leave the CIC untouched.
And please keep in mind: replacing a SIP line certificate has nothing to do with modifying the complete CIC-internal certificate authority.

------------------------------
Andreas Tikart
Fiebig GmbH
------------------------------

Original Message:
Sent: 11-04-2022 16:22
From: Christopher Becker
Subject: 3rd Party Provider needs signed certs for TLS sip communication

I have a 3rd party vendor is replacing our phone service and we are migrating to all SIP communication. We currently have TCP lines set up with the new provider and everything is working as expected, however, we will need to migrate to using TLS next. I assume this is as simple as importing and signing the 3rd party cert on the TLS tab in the Lines Tab of the CIC, but I have been told by the vendor i cannot use the self signed certs created in the CIC (the existing line certs.)  My assumption is once I acquire a Cert from our Cert provider, I can import and use that cert, however, I have read on the forums that I want to stick with my self signed certs the CIC and other systems are currently using, not try and replace all the certs in the system.

Please let me know if I seem to have this right, and if you know any 'gotcha' issues I should be aware of.

As always, thanks for the help in advance.
#AskMeAnything(AMA)
#Security
#SIP/VolP
#Telephony
#Unsure/Other

------------------------------
Christopher Becker
State of Michigan - Oakland County - WRC
------------------------------

yes - this is only from the CIC to the SIP line of the carrier.  We do not have any users or additional phones , our system only takes calls and feeds them to the Interactive Attendant. 

So I gather I need to research the SBC and not be concerned with changing the internal self signed certs of the CIC.

Thank you for the info - any additional insight is appreciated.

------------------------------
Christopher Becker
State of Michigan - Oakland County - WRC
------------------------------

Original Message:
Sent: 11-07-2022 02:31
From: Andreas Tikart
Subject: 3rd Party Provider needs signed certs for TLS sip communication

This depends what you want to secure. Only the SIP line to the carrier? Or are you using SIP Hardphones (e.g. Polycom ode Audiocodes) for the agents which also need the certificate? Or are you using the CIC SIP softphones and they must also get a new certificate?
Only replacing the certificate for the SIP line (trunk) to the carrier is simple, especially if you use "always in" as audio path. But it is nearly impossible to persuade the SIP softphone to use a 3rd party certificate.
From my opinion it is a bad idea to connect the CIC directly to the carrier. You should use a Session Border Controller between. This helps you with some configuration issues like "RTCP Mux" and "RTCP Feedback".
And then you can change the certificate on the SBC and leave the CIC untouched.
And please keep in mind: replacing a SIP line certificate has nothing to do with modifying the complete CIC-internal certificate authority.

------------------------------
Andreas Tikart
Fiebig GmbH

Original Message:
Sent: 11-04-2022 16:22
From: Christopher Becker
Subject: 3rd Party Provider needs signed certs for TLS sip communication

I have a 3rd party vendor is replacing our phone service and we are migrating to all SIP communication. We currently have TCP lines set up with the new provider and everything is working as expected, however, we will need to migrate to using TLS next. I assume this is as simple as importing and signing the 3rd party cert on the TLS tab in the Lines Tab of the CIC, but I have been told by the vendor i cannot use the self signed certs created in the CIC (the existing line certs.)  My assumption is once I acquire a Cert from our Cert provider, I can import and use that cert, however, I have read on the forums that I want to stick with my self signed certs the CIC and other systems are currently using, not try and replace all the certs in the system.

Please let me know if I seem to have this right, and if you know any 'gotcha' issues I should be aware of.

As always, thanks for the help in advance.
#AskMeAnything(AMA)
#Security
#SIP/VolP
#Telephony
#Unsure/Other

------------------------------
Christopher Becker
State of Michigan - Oakland County - WRC
------------------------------

So our 3rd party vendor is the provider of our SBC. They are saying since the SBC is outside our infrastructure, I need to have line certs between their SBC and My CIC server.  I have created and installed a cert from our inhouse cert provider (not a cert provided by the owner of the SBC) and loaded it into the Line Cert and the Authority Cert tabs, but I am unable to connect.    Checking and unchecking the 'require mutual authentication' box produces different behaviors, but neither are desired. Having the box checked causes the line to behave the same as if it is not active. I am assuming there are steps needed in the SBC to complete the handshake.

Am I missing anything obvious?

------------------------------
Christopher Becker
State of Michigan - Oakland County - WRC
------------------------------

Original Message:
Sent: 11-07-2022 02:31
From: Andreas Tikart
Subject: 3rd Party Provider needs signed certs for TLS sip communication

This depends what you want to secure. Only the SIP line to the carrier? Or are you using SIP Hardphones (e.g. Polycom ode Audiocodes) for the agents which also need the certificate? Or are you using the CIC SIP softphones and they must also get a new certificate?
Only replacing the certificate for the SIP line (trunk) to the carrier is simple, especially if you use "always in" as audio path. But it is nearly impossible to persuade the SIP softphone to use a 3rd party certificate.
From my opinion it is a bad idea to connect the CIC directly to the carrier. You should use a Session Border Controller between. This helps you with some configuration issues like "RTCP Mux" and "RTCP Feedback".
And then you can change the certificate on the SBC and leave the CIC untouched.
And please keep in mind: replacing a SIP line certificate has nothing to do with modifying the complete CIC-internal certificate authority.

------------------------------
Andreas Tikart
Fiebig GmbH

Original Message:
Sent: 11-04-2022 16:22
From: Christopher Becker
Subject: 3rd Party Provider needs signed certs for TLS sip communication

I have a 3rd party vendor is replacing our phone service and we are migrating to all SIP communication. We currently have TCP lines set up with the new provider and everything is working as expected, however, we will need to migrate to using TLS next. I assume this is as simple as importing and signing the 3rd party cert on the TLS tab in the Lines Tab of the CIC, but I have been told by the vendor i cannot use the self signed certs created in the CIC (the existing line certs.)  My assumption is once I acquire a Cert from our Cert provider, I can import and use that cert, however, I have read on the forums that I want to stick with my self signed certs the CIC and other systems are currently using, not try and replace all the certs in the system.

Please let me know if I seem to have this right, and if you know any 'gotcha' issues I should be aware of.

As always, thanks for the help in advance.
#AskMeAnything(AMA)
#Security
#SIP/VolP
#Telephony
#Unsure/Other

------------------------------
Christopher Becker
State of Michigan - Oakland County - WRC
------------------------------