Activating the LTE665: LTE Certificate Management

LTE685: Infrastructures for Certification Authority (CA)

Activating LTE RL10 Features

17 Activating the LTE665: LTE Certificate Management LTE685: Infrastructures for Certification Authority (CA) and Registration
Authority (RA) Features Using BTS Site
Manager
Follow this procedure to activate the features LTE665: LTE certificate management and
LTE685: Infrastructure for certification authority (CA) and registration authority (RA).
Before you start
The evolved NB must already be commissioned. The BTS Site Manager (BTSSM) can
be connected to the eNB either locally or from a remote location.
Follow this procedure for:




initial operator certificates installation

manual operator certificate update
manual operator CA certificate update

The manual operator certificate update is done using CMP initialization procedure.
Before triggering CMP initialization procedure of updating eNB operator CA certificate,
make sure the CMP/CA server policy is configured to allow a repeating CMP initialization requests for a certain eNB.

When the CMP initialization procedure is complete, all the currently established IPsec
connections are terminated and re-established using new certificates. This causes temporary interruption in the eNB operation. The CMP initialization procedure does not
affect secure connections that use TLS protocol.
When updating the operator CA certificate, it is recommended to follow the order specified in LTE RAN O&M Security. For more information of the operator CA certificate
update, see Manual operator CA certificate update, in Operating task related to LTE
RAN O&M Security.
Steps



Start the BTSSM application and establish the connection to the eNB.
For details, refer to BTS Site Manager Online Help.



Open the Certificate Management function.

Select Configuration j Certificate Management.




BTS certificates (or operator certificates) and ROOT/CA certificates can be installed
either using manual configuration or automatic configuration:
 For manual certificate installation refer to steps 3 and 4.
 For automatic certificate installation refer to steps 5 to 7.

Manual certificate installation.

Change to BTS Certificates page Install certificate item.

32

Id:0900d805809623ad
Confidential

DN0983737

Activating LTE RL10 Features





Activating the LTE665: LTE Certificate Management

LTE685: Infrastructures for Certification Authority (CA)

BTS certificate: select the path and filename of the BTS certificate file
Private key: select the path and filename of the private key file
CA certificate: select the path and filename of the CA certificate file



Click Send



Automatic certificate installation.

For automatic configuration, the operator must have a PKI infrastructure in the network.
The relevant parameters can be configured using BTSSM.
There are two optional parameters called Reference number and Pre-shared key. The
parameters are taken into account only if there are no vendor certificate present in the
eNB. Table 1 shows the system behavior regarding the optional parameters.
Vendor certificate

Reference number
and Pre-shared key

System behavior

present

configured/not configured

The eNB uses the vendor certificate

to connect to the CMP/CA server
(default use case)

not present

configured

The eNB uses the Reference

number(RefNum) and the Pre-shared
key(PSK) to authenticate itself
against the CMP/CA server. The
CMP/CA server policy must be configured to allow RefNum/PSK authentication.

not present

not configured

The eNB uses the self-signed certificate to authenticate itself against the
CMP/CA server. The CMP/CA server
policy must be configured to allow
self-signed certificates.

Table 1

System behavior for optional parameter usage

Change to Automatic Management page.

CMP/CA server item shows the elements for setting up the connection.






Address: enter IP address of CMP/CA server

Port: enter port number for CMP/CA server
CA subject name: enter the name of the CMP server
Reference number: optional parameter, enter the RefNum
Pre-shared key: optional parameter, enter the PSK

Automatic renewal item shows the elements for setting up the time limits until a certificate must be updated.




DN0983737

CA certificate and trust anchor: set the number of days for validity of CA certificate
and trust anchor
BTS certificate: set the number of days for validity of BTS certificate
CRL update interval: set the number of hours until the CRL is updated

Id:0900d805809623ad
Confidential

33

Activating the LTE665: LTE Certificate Management

LTE685: Infrastructures for Certification Authority (CA)

Activating LTE RL10 Features



Click Send button



Click Initialize Certificates and CRL button



The inserted data are automatically activated in the eNB.

Expected outcome
The new certificates are used from now on for all IPsec connections and for all new TLS
connections.
Further information
The CMP initialization procedure resets all IPsec connections and re-establishes them
with new certificates.

34

Id:0900d805809623ad
Confidential

DN0983737