Phone identity certificates
Identity certificates are used to establish the identity of a client or server during a TLS session.
Phones support the installation of an identity certificate using one of the following methods:
• Secure Certificate Enrollment Protocol (SCEP) by using the 46xxsettings.txt file
parameter MYCERTURL.
SET MYCERTURL "http://192.168.0.1/ejbca/publicweb/apply/scep/pkiclient.exe"
• PKCS12 File by using the 46xxsettings.txt file parameter PKCS12URL
SET PKCS12URL http://192.168.0.1/client_$MACADDR_cert.p12
Note:
If both MYCERTURL and PKCS12URL are provided in the 46xxsettings.txt file, then
PKCS12URL takes precedence over MYCERTURL.
The attributes of an identity certificate can be viewed by using a MIB browser. The following MIB
OIDs can be used for this query:
Attribute Name MIB OID
Serial Number endptIdentityCertSN
Subject endptIdentityCertSubjectName
Issuer endptIdentityCertIssuerName
Validity endptIdentityCertValidityPeriod
Thumbprint endptIdentityCertFingerprint
Subject Alt Name endptIdentityCertSubjectAlternativeName
Key Usage Extension endptIdentityCertKeyUsageExtensions
Extended Key Usage endptIdentityCertExtendedKeyUsage
Basic Constraints endptIdentityCertBasicContraints
Server certificate validation
A server always provides a server certificate when the phone initiates a SIP-TLS, EAP-TLS or
HTTPS connection.
To validate the identity of a received server certificate, the phone verifies the following:
• The certificate chain up to the trusted certificate authority in TRUSRCERTS
• The Signature
• The Revocation status through OCSP if OCSP_ENABLED is set to 1
• Certificate validity based on the current date and not-before and not-after attributes of the
certificate.
• Certificate usage restrictions.
Certificate management
January 2020 Installing and Administering Avaya 9601/9608/9611G/9621G/9641G/9641GS IP
Deskphones SIP 47
Comments on this document? infodev@avaya.com
To Next Page
Loading...
