Mitel 6867i Administrator's Manual page 191

downloads. The download of the user-provided certificates are based on a filename specified
in the configuration parameter, https user certificates (Trusted Certificates Filename in the
Mitel Web UI; user-provided certificates are not configurable via the IP Phone UI). The
user-provided certificates are saved on the phone between firmware upgrades but are deleted
during a factory default (or if the configured value in the https user certificates/Trusted
Certificates Filename parameter/setting is changed or omitted).
Note: Certificates that are signed by providers other than Comodo (EssentialSSL and
4096-bit RSA), CyberTrust, DigiCert, Entrust, GoDaddy, GeoTrust, Mitel MBG,
Symantec (Class 3 Secure Server CA - G4), Thawte, TrustZone, or Verisign do not verify
on the phone by default. The user can overcome this by adding the root certificate of
their certificate provider to the user-provided certificate .PEM file.
Certificate Validation
Certificate validation is enabled by default. Validation occurs by checking that the certificates
are well formed and signed by one of the certificates in the trusted certificate set. It then checks
the expiration date on the certificate, and finally, compares the name in the certificate with the
address for which it was connected.
If any of these validation steps fail, the connection is rejected. Certificate validation is controlled
by three parameters which you can configure via the configuration files, the IP Phone UI, or
the Mitel Web UI:
• https validate certificates - Enables/disables validation.
• https validate hostname - Enables/disables the checking of the certificate commonName
against the server name.
• https validate expires - Enables/disables the checking of the expiration date on the
certificate.
SSL Certificate Subject Alternative Name (SAN) Support
The 6800 Series SIP phones support Subject Alternative Names (SANs) when validating SSL
certificates. SANs allow Administrators to specify a list of hostnames that can be protected by
a single SSL certificate.
When the "https validate hostname" ("Check Hostnames" option on the Web UI) is enabled,
the names defined as SANs in a certificate are used for matching against the phone's configured
server name. If no matches are found, the common name in the certificate is used.
The following considerations should be noted:
• When matching the configured server name against names from the certificate SAN, both
DNS names and IP address names from the SAN are selected. Other names such as the
Service (SRV) record names are ignored.
• Multiple DNS names and IP address names from the certificate SAN are supported.
• If the phone's configured HTTPS server name is a DNS name, wildcard matching is sup-
ported. However, only the first label of the DNS name will be wildcard matched. The
remaining labels of the DNS name are matched identically.
• The first label of a DNS name from a certificate SAN can be in the following format:
Network Settings
4-38