Enabling certificate support
You can use Simple Certificate Enrollment Protocol (SCEP) to provide an identity certificate for
use with certificate-based VPN authentication methods. The 802.1x EAP-TLS method also uses
the identity certificate for authentication. When you use TLS with HTTPS, you can use the identity
certificate to authenticate the phone and save the agent greetings or perform a backup or restore.
The phone stores the identity certificate and the phone uses the identity certificate during the TLS
handshake as required when the phone is acting as a server. When the phone is acting as a
client, the phone transmits the identity certificate on request. The IP Deskphones support Media
Encryption (SRTP) and use built-in Avaya certificates for trust management. Trust management
includes downloading certificates and managing policies for additional trusted Certificate
Authorities (CA). Simple Certificate Enrollment Protocol (SCEP) handles identity management with
phone certificates and private keys. You can apply SCEP to your VPN operation or to standard
enterprise network operation. Alternatively, you can download the PKCS #12 file that contains an
identity certificate and its private key. You must enter the authentication password after reboot.
Before you begin
For SCEP servers that are outside the corporate firewall, configure the phones that use a VPN
connection to establish an SCEP connection through an HTTP proxy server to reach the SCEP
server. In this instance, use the WMLPROXY system parameter to configure the HTTP proxy
server.
When the phone initiates SCEP, the phone attempts to contact an SCEP server through HTTP,
using the value of the configuration parameter MYCERTURL as the URI. SCEP supports an HTTP
proxy server. The phone creates a private/public key pair, where the length of each key is equal to
the value of the configuration parameter MYCERTKEYLEN. The certificate request uses the public
key and the values of the configuration parameters MYCERTCAID, MYCERTCN, MYCERTDN,
and SCEPPASSWORD.
About this task
You must configure the 46xxsettings.txt file on the file server with the specified parameters to use
an identity certificate to authenticate the phones.
Procedure
Configure the following parameters in the 46xxsettings.txt file:
• SET MYCERTURL < URL for enrolling with a SCEP fronted Certificate Authority> for example,
http://149.49.44.53/certsrv/mscep/mscep.dll.
• SET MYCERTCN $MACADDR.
• SET MYCERTWAIT 1.
• SET TRUSTCERTS "root_ certificate".
Related links
EAP-TLS support for authentication
on page 134
Administering Deskphone Options
May 2018
Installing and Administering Avaya J169/J179 IP Phone H.323
135