Specifications

ManualsBrandsAastra ManualsComputer equipment675 XI

201

202

203

204

205

206

207

208

209

210

PA-001011-03-04 Aastra July 2014

205

To allow HTTPS connections, the web server must have a root certificate; this certificate must be

signed by a certificate authority of one form or another, which certifies that the certificate holder is

indeed the entity it claims to be. The certificate can also be self-signed.

Aastra SIP phones come with the signing certificates of

 Verisign

 GeoTrust

 Thwate

So, only certificates signed by these Certification Authorities can be verified by the phone.

Certificates that are signed by other providers will not verify on the phone but to overcome this

problem, the phone can be loaded with user certificates.

The following parameters allow HTTPS validation configuration.

https validate certificates

https validate expires

https validate hostname

https user certificates

Note: if you have http validate expires enabled, you must make sure that the phone

clock is yet prior to using HTTPS.

When a certificate is rejected the phone displays "Bad Certificate" on the fifth line of the display for

large screen phones (6735i/6737i/6739i/55i/57i/57iCT/9480i/9480iCT) and on the third line for

small screen phones (6730i/6731i/6753i/9143i).

Note: For more information regarding HTTPS and associated certificates please refer to the

x.509 standard at http://www.ietf.org/html.charters/pkix-charter.html .

5.3.1 User Certificates

The user has the option to upload its own certificates onto the phone. These certificates must be

uploaded in a single file in the PEM format.

The user certificates are persistent between firmware upgrades but are deleted during a factory

default.

User provided certificates are downloaded as part of the boot time configuration downloads and be

based on a filename specified in http user certificates. The certificate file must be located

in the configuration server directory.

Note: In order to install a root certificate using HTTPS, the user must first disable verification,

since the certificate will not be in the validation chain yet.

Example

Here is an example of a self-signed certificate; it is stored in a file called “mycertificate.pem”

located in the configuration server directory.

-----BEGIN CERTIFICATE-----

MIIDyjCCAzOgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBpTELMAkGA1UEBhMCLS0x

EjAQBgNVBAgTCVNvbWVTdGF0ZTERMA8GA1UEBxMIU29tZUNpdHkxGTAXBgNVBAoT

EFNvbWVPcmdhbml6YXRpb24xHzAdBgNVBAsTFlNvbWVPcmdhbml6YXRpb25hbFVu

aXQxEzARBgNVBAMUCm15X3RyaXhib3gxHjAcBgkqhkiG9w0BCQEWD3Jvb3RAbXlf