Custom Certificate Authority
Since security is based on TLS digital certificates, it is mandatory that server certificates are signed by a known and trusted certificate authority.
If your certificates is signed by a new CA (not present in phone CA list at ship time) or your private CA, you can import the CA's certificate and trust it.
Custom CA on Blackberry
Open Options -> Security Options -> Advanced Security Options -> Certificates
Select the CA root and trust it. PrivateGSM can now connect to your server.
Custom CA on iPhone
Connect your iPhone to USB and open using iTunes application.
Select your device -> "Apps" section -> scroll down and you will see a list of applications that have a shared folder.
Import a file named "cachain.pem" containing the whole certificate chain, from Certificate Authority Root down to server certificate, including intermediate CA, using PEM format (ASCII format, starting with line "----BEGIN CERTIFICATE----").
Restrict Certificate Authority
SSL certificates management is the key point in SECRET security level, so PrivateGSM takes all SSL aspects in great consideration. You can further restrict the constraints on SSL choosing one single CA root, which you trust particularly. This feature gives you some additional advantages:
- Use certificates signed by your private internal CA, not known and present on OTS devices
- Choose one single CA root that you trust, reducing the risks that an attacker uses a compromised, but still valid CA root, to carry on a MITM attack.
Restrict CA on iPhone
Import a custom CA (see 9.2.2"Custom CA on iPhone"). Open and edit Sip settings, and set to ON setting named "Enable custom CA root"