System information

Network features 391

It is possible to change the default behavior described inProcedure 107

“Installing the first customer certificate on the IP Phone” (page 390) so

that the user must enter the fingerprint of the certificate file rather than

just accept a displayed value. To do this, you must change the Security

Policy on the phone. For more information about the Security Policy, see

“Security Policy” (page 398) .

All new certificates that are received and are meant to be stored on the IP

Phone must be validated. Certificates that are digitally signed and can be

authenticated using one of the certificates in the trusted certificate store

are considered validated and do not require user input. If one or more

Customer Certificates are installed in the IP Phone trusted certificate store,

any certificate that does not pass the digital authentication is rejected and

an error is logged.

If Customer Certificates are not installed in the trusted certificate store

on the IP Phone, you can use one of the following methods to manually

validate an unsigned certificate

• Manual A (default)

•

Manual B

Manual A

If the file containing a Customer Certificate is not signed a prompt appears

on the screen with a fingerprint for the file as a whole, regardless of

the number of certificates contained in the file. If you confirm that the

fingerprint is correct, all certificates in the file validate and save. You

cannot use this method to validate Nortel certificates.

Manual A uses a 20 digit (64 bit) fingerprint. You must confirm the

fingerprint, which appears on the screen. See Figure 71 "Fingerprint

verification" (page 392).

The screen shows the file type and a prompt to install or reject the file.

After 30 seconds, the prompt times out and the certificate is automatically

rejected.

Nortel Communication Server 1000

IP Phones Fundamentals

NN43001-368 05.02 26 May 2009