User's Manual

ManualsBrandsAvaya ManualsIP DeskphonesAvaya SIP Software R4.3 SP2 for 1200 Series

231

232

233

234

235

236

237

238

239

240

1. After the IP Deskphone starts up, the IP Deskphone automatically generates a

private-public key pair for each Device Certificate Profile configured on the IP

Deskphone for SCEP.

2. The IP Deskphone uses the SCEP GetCACert command to retrieve a customer root

certificate from the CA server and prompts the administrator to validate the

certificate fingerprint before the IP Deskphone stores the root certificate

permanently on the IP Deskphone.

3. The IP Deskphone prompts the user to enter a password to be included in the

certificate request the IP Deskphone is about to generate. A password may or may

not be required depending on the configuration of the SCEP/CA server.

4. The IP Deskphone generates a device certificate request which is forwarded to the

certificate authority using the SCEP command PKCSReq.

5. After the device certificate request is approved, the CA signs the device certificate

request with the CA private key and returns the completed certificate to the

IP Deskphone.

6. The IP Deskphone stores the device certificate and the IP Deskphone private key

into the IP Deskphone memory with the matching private key.

7. The IP Deskphone can now verify the identity of the device certificate when

requested by a server.

During the enrollment process, and before the IP Deskphone sends the device certificate

request to the CA server, the IP Deskphone prompts the administrator to enter a challenge

password. The use of a password is optional depending on the configuration of the SCEP

server. If the SCEP server is configured to not require a password, the administrator does not

enter a value and presses the OK Context-sensitive soft key.

The name included in the device certificate request is constructed using the hostname and

domain name shown in the Network Configuration screen immediately under the CA server.

If there is no hostname entered, a hostname is created using the IP Deskphone MAC address

according to the form NTIPP012345, where NTIPP is an acronym for IP Deskphone and

012345 are the last six hex digits of the MAC address. By default, the certificate request

includes a Subject Common Name in the form of hostname@domainname. The SCEP

configuration fields in each DCP provide more flexibility in the form and location of this

name.

Device Certificate Authentication Considerations for SCEP

An important aspect of the device certificate request is the format and location of the name

that is requested for the device certificate. The server presented with a device certificate by

the

IP Deskphone always confirms the authenticity of the certificate by verifying that the issuer

of the device certificate is trusted by the server and that the signature on the device certificate

is authentic by performing certificate chain validation. A server also performs verification based

on the name contained in the device certificate. Therefore, the name contained in the device

Certificate-based authentication

240 SIP Software for Avaya 1200 Series IP Deskphones-Administration September 2013

Comments? infodev@avaya.com