Hello,
I've been working on getting TLS to work for 96x1 phones with IP0500V2. Finally working, but I'm still puzzled about the certificates and names. Something I'd been looking at after a handset firmware upgrade.
Once I'd worked out that the authentication error on the handset was due to TLS being active by default rather than using the wrong extension password I did a bit of digging to see how this is set up. The docs state that the certificate is downloaded as part of the boot up process along with the 46xxsettings file etc and the name needs to be Root-CA-xxxxxxxx.pem, where xxxxxxxx matches bytes 13-16 of the Public Key of the Root CA.
I can't work out what that is, I'm sure it's simple enough if you know where to look, but I don't.
I'd been using a custom 46xxsettings file so the issue initially was that the file did not contain the cert file, therefore it was not requested and so not downloaded. By removing the file from the IPO and allowing it to auto-generate the 46xx file, I could then see the handset downloading the certificate and therefore it's name. I could have just browsed to IPO once I'd deleted the custom file, but only remembered that afterwards
Anyway, I could now see the file name and insert it into the custom 46xx file.
The phone works with TLS either way now; with no settings file it just works by itself under auto-generation, or by using the custom file with the file settings applied for the cert.
I still don't know how to derive the correct file name other than the process above. It's not always going to be practical to remove the custom file in a live environment, so looking for some guidance on how to find the right file name (bytes 13-16 of the public key of the root CA) in advance and without risk to a live system.
I appreciate most will probably not care and use the process above, but I'd like to know all the same! It's something that will be useful for me in the future. I'm a bit frustrated that the Avaya doc tells you what you need, but not how to find it.... There must be a simple way to do this.
Thanks!
I've been working on getting TLS to work for 96x1 phones with IP0500V2. Finally working, but I'm still puzzled about the certificates and names. Something I'd been looking at after a handset firmware upgrade.
Once I'd worked out that the authentication error on the handset was due to TLS being active by default rather than using the wrong extension password I did a bit of digging to see how this is set up. The docs state that the certificate is downloaded as part of the boot up process along with the 46xxsettings file etc and the name needs to be Root-CA-xxxxxxxx.pem, where xxxxxxxx matches bytes 13-16 of the Public Key of the Root CA.
I can't work out what that is, I'm sure it's simple enough if you know where to look, but I don't.
I'd been using a custom 46xxsettings file so the issue initially was that the file did not contain the cert file, therefore it was not requested and so not downloaded. By removing the file from the IPO and allowing it to auto-generate the 46xx file, I could then see the handset downloading the certificate and therefore it's name. I could have just browsed to IPO once I'd deleted the custom file, but only remembered that afterwards
![[wink] [wink] [wink]](/data/assets/smilies/wink.gif)
The phone works with TLS either way now; with no settings file it just works by itself under auto-generation, or by using the custom file with the file settings applied for the cert.
I still don't know how to derive the correct file name other than the process above. It's not always going to be practical to remove the custom file in a live environment, so looking for some guidance on how to find the right file name (bytes 13-16 of the public key of the root CA) in advance and without risk to a live system.
I appreciate most will probably not care and use the process above, but I'd like to know all the same! It's something that will be useful for me in the future. I'm a bit frustrated that the Avaya doc tells you what you need, but not how to find it.... There must be a simple way to do this.
Thanks!