System information

Network features 401

user is not prompted to accept the CA root certificate because it is

already on the phone and is trusted.

The phone creates a certificate request using the CA certificate and a

locally generated private key.

The phone sends PKCSReq to the SCEP server which includes the

certificate request.

6. The SCEP server responds with either a failure status or with a

properly signed device certificate.

If a device certificate returns, it installs on the phone.

ATTENTION

After the EAP-TLS CA root certificate installs on the phone during the SCEP

process, installable customer files (Security Policy, Certificates, Device

Configuration) must be signed or they reject.

If you use the same CA for EAP-TLS and for the file signing, which Nortel

recommends, it is not necessary to install any other certificates. This

means that you are not required to add [USER_KEYS] to the configuration

file. However, if EAP-TLS is not configured, use [USER_KEYS] to install a

CA root certificate rather than SCEP.

If you use different CAs for EAP-TLS and file signing, it is necessary to

install the CA root certificate for file signing on the phone, as well. In this

case, the order in which you perform the configuration is important. If the

EAP-TLS CA root certificate is installed first using SCEP, it is necessary to

install the file signing CA root certificate on the phone by signing it with a

certificate from the EAP-TLS certificate chain. Otherwise, it is not possible

to install the file signing root certificate on the phone.

Nortel recommends that you install the file signing certificate first because

no additional requirements are imposed on the installation of the EAP-TLS

certificate, provided it is retrieved using SCEP.

Figure 74 "Certificate file with one certificate" (page 402) provides an

example of the certificate file with one certificate.

Nortel Communication Server 1000

IP Phones Fundamentals

NN43001-368 05.02 26 May 2009