User's Manual

ManualsBrandsAvaya ManualsIP phonesSIP Software 3.1 for 1100 Series

281

282

283

284

285

286

287

288

289

290

phone or there must be a certificate chain that can be followed, which ends with a CA root

certificate installed on the IP Deskphone. In either case, there must be a trust anchor on the

IP Deskphone, which can verify the authenticity of the Signing Certificate.

The file signing certificate requires the following minimum attributes:

• Version –3

• Key Usage – Digital signature

• Extended Key Usage – Code signing, secure e-mail

• Key – 1024 or 2048 bits

In addition, the Signing Certificate cannot be a self-signed root certificate and must have a

valid Subject Key Identifier and an Authority Key Identifier (which uniquely identifies the issuing

certificate).

You can use many commercial CAs, Open source CAs, such as OpenSSL, and EJBCA to

create and manage these certificates. The CA must meet the following requirements:

• The root certificate must be exportable in PEM format without the private key.

• The CA must be capable of issuing a Signing Certificate with the above attributes and an

exportable private key.

This requirement can require additional CA configuration. Often in commercial CAs the

private key is not exportable by default. However, the Signing Certificate private key is

only required if the CA does not provide built-in support for the creation of detached

PKCS7 signatures.

Signing scripts

You can use the following scripts to generate a signed file using OpenSSL (version 0.9.8a or

greater) on Linux or Windows. The input requirements in the script include:

• Unsigned data file

- Validity fields

- Certificates

• Public Signing Certificate

• Private Key for the Signing Certificate

Important:

• The signing certificate and associated private key must be exported from the Certificate

Management system. Some Certificate Management systems (for example, Microsoft CA

Server) restrict the ability to export the private key. You must take care when you generate

certificates to ensure that you properly configure the ability to export.

You should sign the file in a secure environment because the signing certificate private key

must be accessible. If the private key is password-protected, you must enter this password to

successfully create a signature.

Creating a signing certificate

SIP Software for Avaya 1100 Series IP Deskphones-Administration November 2012 281