Manualshelf

System information

ManualsBrandsBoots ManualsGadgetsCS-1000
381382383384385386387388389390
Network features 389
certificate, you can be prompted to accept the root certificate fingerprint.
You can permanently save the root certificate and the device certificate in
the trusted certificate store.
It is possible to install more than one customer root certificate on the
phone if more than once Certificate Authority is used.
The IP Phone sends a request to server to obtain a root certificate and a
device certificate.
If you configure EAP-PEAP, the root certificate extracts from the
configuration file and stores in the trusted certificate store.
If the certificate installation fails, EAP-TLS or EAP-PEAP does not
initialize. The IP Phone does not authenticate and cannot access the
network.
802.1x EAP enhancements
This section describes 802.1x EAP enhancements for the IP Phones.
The IP Phones require root certificates.
After the IP Phone powers up for the first time the Nortel root certificates
automatically configure.
Customer Certificates must be validated and signed. For more information
about validating Customer Certificates, see “Validating certificates”
(page 391) “. After you install the root certificates on the IP Phone, all
customer-created installable files, such as Customer Certificates or
Certificate Revocation Lists (CRL) must be properly signed or the IP
Phone rejects the files. The signature attached to a file must be created by
a certificate with a valid certificate chain that is rooted in the customer root
certificate. Device Configuration and Security Policy installable files are
also supported although they are rarely used. For more information about
signing the files, see “File signing” (page 393) .
Installing the first customer certificate on the IP Phone
You must install customer certificates if you use EAP-TLS or EAP-PEAP.
Install a customer root certificate on the phone to provide a trust anchor
to verify a signature on a signed configuration file or to verify a certificate
presented by the server end of a TLS connection. The trust anchor must
either have issued the presented certificate or there must be a valid
certificate chain that can validate to the trust anchor. In other words, the
installed certificate is the customer’s Certificate Authority (CA). The CA can
be a third party CA or a self-signed root certificate.
Nortel Communication Server 1000
IP Phones Fundamentals
NN43001-368 05.02 26 May 2009
Copyright © 2003-2009 Nortel Networks. All Rights Reserved.
.