Identity certificates
Identity certificates are the endpoint or Server certificates. To share the identity, a public key is
presented for identification. X509v3 compliant certificates are supported. Secure communications
that use Transport Layer Security (TLS) or use certificates for authentication purposes are
supported to participate in a Public Key Infrastructure (PKI). The following mechanisms are
supported for installation:
• Certificate enrollment: Creates a private key and Certificate Signing Request (CSR). CSR is
sent to the Certificate Authority (CA) using manual or automatic Simple Certificate Enrollment
Protocol (SCEP) interface. Certificate is validated and accepted when CA signs the CSR.
• Importing Key and Certificate: Uses an encrypted PKCS #12 file format to import both the
private key and the corresponding certificate.
You can view the following attributes of the certificate using an SNMP MIB browser:
•
Serial Number
•
Subject Name
•
Issuer Name
•
Validity Period
:
notBefore
and
notAfter
dates
•
Thumbprint
: Hash of the certificate
•
Basic Contraints
•
Subject Alternative Name
•
Key Usage Extensions
•
Extended Key Usage
To validate identity of a received certificate, the following process is followed:
• Verification of certificate chain up to the trusted entity.
• Verification of the signature.
• Verification of the revocation status through OCSP.
• Verification of the certification validity (not-before and not-after dates are checked).
• Verification of the certificate usage restrictions.
• Verification of the identity against the certificate.
Subject Alternative Field (SAN)
SAN field simplify server configuration. With SAN field, you can specify additional host names such
as, IP addresses or common names, to use a single SSL Certificate. While validating the
certificates, the phone verifies whether the presented certificate has a SAN field or not.
• If the certificate does not have the SAN field, the phone validates the Common Name (CN)
fields of the certificate. In this case, you need the following CN fields:
-
SIP domain name
-
IP address
Security
September 2017
Installing and Administering Avaya J129 IP Phone
54