User's Manual
450 X.509 Certificates
Root certificate
This root certificate is the customers root certificate. It is installed as part
of a configuration file or as part of the SCEP process.
Device certificate
This certificate is assigned specifically to the phone. It is installed using
the SCEP process when the phone is configured prior to the installation
process.
Certificate installation
Root certificates
The IP Phones require root certificates.
After the IP Phone powers up for the first time the Nortel root certificates
automatically configure.
Customer Certificates must be validated and signed. For more information
about validating Customer Certificates, see “Validating certificates”
(page 452). After you install the root certificates on the IP Phone, all
customer-created installable files, such as Customer Certificates or
Certificate Revocation Lists (CRL) must be properly signed or the IP
Phone rejects the files. The signature attached to a file must be created by
a certificate with a valid certificate chain that is rooted in the customer root
certificate. Device Configuration and Security Policy installable files are
also supported although they are rarely used. For more information about
signing the files, see “File signing” (page 454).
Installing the first customer certificate on the IP Phone
You must install customer certificates if you use EAP-TLS or EAP-PEAP.
Install a customer root certificate on the phone to provide a trust anchor
to verify a signature on a signed configuration file or to verify a certificate
presented by the server end of a TLS connection. The trust anchor must
either have issued the presented certificate or there must be a valid
certificate chain that can validate to the trust anchor. In other words, the
installed certificate is the customer’s Certificate Authority (CA). The CA can
be a third party CA or a self-signed root certificate.
For certificate chaining, the TLS server or the digital file signing process
must ensure that all certificates in the chain up to, but not including, the
trust anchor are provided. Otherwise, the certificate chain cannot be
validated by the phone. After one customer root certificate installs on the
phone, all customer configuration files (including additional certificate
files) must be signed or they reject without any user input or options. It is
possible to install more than one customer root certificate on the phone if
more than once Certificate Authority is used.
Nortel Communication Server 1000
IP Phones Fundamentals
NN43001-368 05.06 30 April 2010
Copyright © 2003-2010 Nortel Networks. All Rights Reserved.
.