User's Manual

ManualsBrandsAvaya ManualsIP phonesSIP Software 3.1 for 1100 Series

251

252

253

254

255

256

257

258

259

260

Note:

In the descriptions above, there is reference to the certificate file containing a

single customer root certificate. While this is the most common usage, the file can

actually contain more than one certificate, where the PEM encoding for each is

appended in the file with a blank line between each. If the file’s authenticity is

successfully verified, all entities in the file are installed on the IP Deskphone.

• If the authentication of the file is successful, the customer root certificate is installed on

the IP Deskphone in the trusted certificate store.

• The command to sign a resource file using openssl is as follows:

openssl smime

–sign –in unsigned_file –signer sign_cert_file –outform PEM –binary

–inkey sign_cert_pk_file –out tmp_signature_file

• CUST_CERT_ACCEPT parameter is a Security Policy Parameter to disable Customer

Certificate file signing.

• CUST_CERT_ACCEPT – VAL_NO_CHECK parameters only controls further signing of

customer root certificates. The first Certificate must be either signed by Avaya Trusted

Certificate or Finger Print Accepted.

Caution:

There is a security risk in not having the Trusted Certificates loaded with

VAL_NO_CHECK.

When the IP Deskphone tries to establish a secure connection (for example, HTTPS, SIP TLS)

with a server, the server provides its certificate which then must be verified by the IP

Deskphone.

The following are the possible configurations (depending on the server configuration):

1. Server can provide only its Server certificate.

2. Server can provide the entire certificate chain (up to the Root CA certificate).

In the first scenario, the IP Deskphone only needs the CA certificate which was used to sign

the Server certificate. The certificate file must be PEM encoded.

In the second scenario, every certificate in the chain must be verified. Root and Intermediate

CA certificates of the chain must be installed in the IP Deskphone Trusted Certificates store.

Certificates must be PEM encoded and combined into one file.

Device certificate installation process

A device certificate is a certificate used to prove the identity of the IP Deskphone to a server

while establishing various secure connections, such as TLS and HTTPS, between the IP

Deskphone and a server. Currently, SIP software supports installation of only one device

certificate.

Certificate-based authentication

254 SIP Software for Avaya 1100 Series IP Deskphones-Administration November 2012

Comments? infodev@avaya.com