Certificate Trust Line (Certificate Verification) - Avaya 1230 Administration

Certificate-based authentication
• Key size is >= to the value specified in the Security Policy File
• Key Algorithm is DSA
• the certificate is not revoked
• the certificate is not expired
8. If the IP Deskphone has correctly validated the device certificate, the IP Deskphone stores
the device certificate and private key in the device certificate profile specified in the
[DEV_CERT] section of the IP Deskphone memory (SFS).
• The version specified in the [DEV_CERT] section is stored in the profile for future
reference when determining if a new device certificate is available for download.
The PKCS#12 imported certificate is stored in Profile 1.

Certificate Trust Line (certificate verification)

There are two methods to validate a certificate before the IP Deskphone can use it:
• Certificate Revocation List (CRL) — The Certificate Revocation List method has a limitation in
the number of CRL entries used due to the limitation of the IP Deskphone memory. It supports
up to 100 CRL entries.
• Certificate Trust List (CTL) — The Certificate Trust Line is a collection of certificates bundled
together into a file and downloaded into the IP Deskphone. The file is signed and all of the
certificates in the bundle are inherently trusted by the IP Deskphone (id the file signature is
verified). You can use the CTL in place of a CRL because in the IP Deskphone, the CTL is
much smaller than the CRL.
The IP Deskphone uses CTL to verify the various network elements such as proxy servers and
provisioning servers. For the IP Deskphone to trust any network element, the certificate of the IP
Deskphone must be added to the CTL.
The use of CTL is optional. If CTL is not installed on the IP Deskphone, the authentication of the
network element reverts back to the default which is to authenticate the certificate chain to a root
certificate trusted by the IP Deskphone.
A file is signed by appending a digital signature which is created using a Signing Certificate. The
Signing Certificate must either be directly issued by a CA root certificate installed on the IP
Deskphone, or there must be a certificate chain that can be followed which ends with a CA root
certificate installed on the IP Deskphone. In either case, the IP Deskphone must have a trust anchor
which can verify the authenticity of the Signing Certificate.
The file Signing Certificate requires the following minimum attributes:
• Version—3
• Key usage—Digital Signature
• Extended key usage—Code signing and secure email
• Key—1024 or 2048 bits
SIP Software for Avaya 1200 Series IP Deskphones-Administration
256
Comments? infodev@avaya.com
March 2015