Installation guide

ManualsBrandsMitel ManualsComputer equipment6800i Series

131

132

133

134

135

136

137

138

139

140

Network Settings

41-001561-00 REV00 – 10.2014 4-33

HTTPS Server Certificate Validation

The HTTPS client on the IP Phones support validation of HTTPS certificates. This feature supports the following:

• Verisign, GeoTrust, Thawte, Comodo, Entrust, and CyberTrust signed certificates

• User-provided certificates

• Checking of hostnames

• SSL Wildcard certificate (i.e. SSL certificate specifying the Common Name as a wildcard [e.g. CN=*.company.com]) sup-

port.

• Checking of certificate expiration

• Ability to disable any or all of the validation steps

• Phone displays a message when a certificate is rejected (except on check-sync operations)

All validation options are enabled by default.

Certificate Management

Mitel Provided Certificates

The phones come with root certificates from Verisign, GeoTrust, Thawte, Comodo, Entrust, and CyberTrust pre-loaded.

User Provided Certificates

The administrator has the option to upload their own certificates onto the phone. The phone downloads these certificates

in a file of .PEM format during boot time after configuration downloads. The download of the user-provided certificates

are based on a filename specified in the configuration parameter, https user certificates (Trusted Certificates Filename

in the Mitel Web UI; user-provided certificates are not configurable via the IP Phone UI). The user-provided certificates are

saved on the phone between firmware upgrades but are deleted during a factory default (or if the configured value in the

https user certificates/Trusted Certificates Filename parameter/setting is changed or ommited).

Certificate Validation

Certificate validation is enabled by default. Validation occurs by checking that the certificates are well formed and signed

by one of the certificates in the trusted certificate set. It then checks the expiration date on the certificate, and finally, com-

pares the name in the certificate with the address for which it was connected.

If any of these validation steps fail, the connection is rejected. Certificate validation is controlled by three parameters

which you can configure via the configuration files, the IP Phone UI, or the Mitel Web UI:

• https validate certificates - Enables/disables validation.

• https validate hostname - Enables/disables the checking of the certificate commonName against the server name.

• https validate expires - Enables/disables the checking of the expiration date on the certificate.

User Interface

Certificate Rejection

When the phone rejects a certificate, it displays, "Bad Certificate" on the LCD.

For Verisign Certificate Rejection

The phones support 2048-bit Verisign certificates. In case of a certificate error, detailed descriptions can be found from the

error message list in the phone status menu.

Note:

Certificates that are signed by providers other than Verisign, GeoTrust, Thawte, Entrust, and CyberTrust do not verify on

the phone by default. The user can overcome this by adding the root certificate of their certificate provider to the user-

provided certificate .PEM file.