Avaya 1110 Fundamentals page 397

customer's Certificate Authority (CA). The CA can be a third party CA or a self-signed root
certificate.
For certificate chaining, the TLS server or the digital file signing process must ensure that all
certificates in the chain up to, but not including, the trust anchor are provided. Otherwise, the
certificate chain cannot be validated by the phone. After one customer root certificate installs
on the phone, all customer configuration files (including additional certificate files) must be
signed or they reject without any user input or options. It is possible to install more than one
customer root certificate on the phone if more than once Certificate Authority is used.
Use the following procedure to install the first customer certificate on the IP Phone.
Installing the first customer certificate on the IP Phone
1. Export the public CA certificate in Privacy Enhanced Mail (PEM) format.
2. If you store more than one certificate in PEM format in this file, insert a blank line
3. Add a section to the configuration file for each IP Phone where FILENAME is the
4. Use DHCP or manual configuration to properly set the Provisioning Server IP
5. Reboot the IP Phone.
6. When the phone connects to the provisioning server, the [USER_KEYS] section is
7. Select Install to proceed.
8. Select Accept to install the certificate on the IP Phone.
It is possible to change the default behavior described in
on the IP Phone
rather than just accept a displayed value. To do this, you must change the Security Policy on
the phone. For more information about the Security Policy, see
Validating certificates
All new certificates that are received and are meant to be stored on the IP Phone must be
validated. Certificates that are digitally signed and can be authenticated using one of the
certificates in the trusted certificate store are considered validated and do not require user
IP Deskphones Fundamentals
The exporting process depends on the management certificate program (for
example, Microsoft CA Server, OpenSSL, EJBCA). Keep the private key secure and
do not install the private key on the phone.
to separate the certificates. See
certificate on page 408.
name of the file created in step
configuration file, see
address.
read and the file(s) downloads.
The phone displays the fingerprint of the certificate file.
For more information about certificate validation options, see
certificates on page 397.
on page 397 so that the user must enter the fingerprint of the certificate file
Figure 76: Certificate file with more than one
1 on page 397. For more information about the
Configuration file on page 403 .
Certificate installation
Validating
Installing the first customer certificate
Security Policy
February 2013
on page 404.
397