User's Manual

ManualsBrandsAvaya ManualsIP DeskphonesAvaya SIP Software R4.3 SP2 for 1200 Series

241

242

243

244

245

246

247

248

249

250

The IP Deskphone uses CTL to verify the various network elements such as proxy servers and

provisioning

servers. For the IP Deskphone to trust any network element, the certificate of the

IP Deskphone must be added to the CTL.

The use of CTL is optional. If CTL is not installed on the IP Deskphone, the authentication of

the network element reverts back to the default which is to authenticate the certificate chain

to a root certificate trusted by the IP Deskphone.

A file is signed by appending a digital signature which is created using a Signing Certificate.

The Signing Certificate must either be directly issued by a CA root certificate installed on the

IP Deskphone, or there must be a certificate chain that can be followed which ends with a CA

root certificate installed on the IP Deskphone. In either case, the IP Deskphone must have a

trust anchor which can verify the authenticity of the Signing Certificate.

The file Signing Certificate requires the following minimum attributes:

• Version—3

• Key usage—Digital Signature

• Extended key usage—Code signing and secure email

• Key—1024 or 2048 bits

In addition, the Signing Certificate cannot be a self-signed root certificate and must have a

valid Subject Key Identifier and an Authority Key Identifier (which uniquely identifies the issuing

certificates).

Validating a certificate using the Certificate Trust List

The

high level sequence of procedures for validating a certificate using the Certificat Trust List

is as follows:

1. Create the CTL file including start date, expire date and a list of certificates

concatenated together in PEM format so that the entire file can be signed by a

trusted entity. A signed CTL file consists of the following:

• Validity fields

•

NOT_VALID_BEFORE: 23/11/2007 11:12:13

•

NOT_VALID_AFTER: 25/10/2011: 22:23:24

• Original unsigned file content

• Digital signature

The parts are appended together with the Validity periods first, followed by the

certificates, and then by the digital signature. The signature must be in the form of

a PKCS7 detached signature of the file in PEM format. A detached signature is a

signature that does not embed the content that is signed.

Certificate-based authentication

244 SIP Software for Avaya 1200 Series IP Deskphones-Administration September 2013

Comments? infodev@avaya.com