Using Client Certificates for User Authentication

Use

Sinch Contact Pro supports using client certificates of the protocol X.509 for user authentication. If client certificates are used, they must be configured for the corresponding servers, and also taken into use for each user account.

Note: When using Windows Server 2012 or later, the registry parameter SendTrustedIssuerList is recommend to be set. See details from the SAP Note 2174821. This is required at least if the client is using several certificates, for example one for Lync.

Prerequisites

Each user requires a specific certificate. Acquire the certificates for real production use from a public CA. Always follow the instructions of your own CA.

For test and demo use, you can follow the same procedure as for acquiring server certificates (see with the following exceptions:

  1. To make the .inf file when making the request, use MachineKeySet = FALSE and only OID = 1.3.6.1.5.5.7.3.2. Avoid using any special characters in subject text as they may not be supported by the CA.

    You can use the text below as an example:

    [NewRequest]
    Subject = "CN=[common name],O=[organization],OU=[organizational unit],L=[location/city],S=[state/province],C=[country]"
    Exportable = TRUE
    KeySpec = 1
    KeyLength = 2048
    MachineKeySet = FALSE
    [EnhancedKeyUsageExtension]
    OID = 1.3.6.1.5.5.7.3.2 
  2. Install the certificate on the workstation where it is supposed to be used.

Procedure

  1. To take client certificate into use for Connection Server, select the check box Use Client Certificate in the IA tool during installation. This enables using certificate for authentication in CDT and Convergence.

  2. For Monitoring users, configure client certificates in the IIS Manager software on every server where a virtual unit with Monitoring Web Clients software package is installed:

    1. Start Internet Information Services (IIS) Manager

    2. In the left pane, navigate to the site that corresponds to the virtual unit with Monitoring Web Clients software package

    3. In the central pane, open SSL Settings.

    4. Ensure that Client certificates is having either Accept or Require checked.

    5. Click Apply in the Actions pane

  3. To apply client certificates for user accounts, define the certificate in the System Configurator application User Management > Users > Certificates.

  4. Make sure that appropriate client certificate is installed on the client workstation. Refer to the certificate issuer for installation instructions.

Note:

The server must accept the client certificate. The tools in the operating system accept automatically the certificates issued by public CAs, but if you use a self-signed certificate, you must install the certificate of the private CA on the server.