Manualshelf

User's Manual

ManualsBrandsAvaya ManualsIP DeskphonesAvaya Communication Server 1000 IP Phones Fundamentals
461462463464465466467468469470
Certificate installation 461
Security parameter
Description
CERT_EXPIRE
This parameter defines how expired certificates are handled. The
default behavior is to log an expired certificate and not delete it.
If a certificate is determined to be expired based on the current
system time, it cannot be used to authenticate a signature,
regardless of the value of this parameter.
Acceptable values
DELETE_CERT—permanently delete a certificate when it expires
LOG_EXPIRE(default)—log an expired certificate but do not delete
it
NO_EXPIRE_LOG—do not delete an expired certificate and log no
event
The SEC_POLICY_ACCEPT and CUST_CERT_ACCEPT parameters define
how these two file types authenticate when customer certificates are not
installed. All other customer created files, which download to the phone
are automatically accepted if customer certificates are not installed.
If customer certificates are installed on the phone, then the Device
Configuration file must be signed in addition to the Security Policy and
Certificate files.
EAP TLS
To support EAP-TLS, the phone must obtain the CA root certificate and
then request its own device certificate. Currently, the only mechanism
that can be used to complete this configuration is the Simple Certificate
Enrollment Protocol (SCEP). SCEP is a protocol that can obtain a device
certificate from a CA. SCEP is only intended to be used in conjunction with
EAP-TLS. If EAP-TLS is enabled, the SCEP client on the phone requests
a device certificate using the following process:
1. The phone sends a GetCACert request to the SCEP server.
2.
The SCEP server responds with the CA certificate.
3. If the CA certificate is not already on the phone, the fingerprint
computes and displays.
a. The user must accept or reject the fingerprint.
b. If the user rejects the fingerprint, the SCEP process terminates.
c. If the user accepts the fingerprint, the CA certificate permanently
stores on the phone.
The EAP-TLS CA root certificate permanently installs on the phone
if it is accepted. If the SCEP process is performed at a later date (for
example, the device certificate request failed the first time), then the
Nortel Communication Server 1000
IP Phones Fundamentals
NN43001-368 05.06 30 April 2010
Copyright © 2003-2010 Nortel Networks. All Rights Reserved.
.