Yealink Forums
Mutual Certificates exchange using built device built in cetificate - Printable Version

+- Yealink Forums (http://forum.yealink.com/forum)
+-- Forum: IP Phone Series (/forumdisplay.php?fid=4)
+--- Forum: Auto Provisioning (/forumdisplay.php?fid=14)
+--- Thread: Mutual Certificates exchange using built device built in cetificate (/showthread.php?tid=3397)



Mutual Certificates exchange using built device built in cetificate - Ricardo Martins - 03-06-2015 05:21 AM

Hi Folks,

I'm tying to set my web server and phones to do mutual certificates exchange on HTTPS provisioning.

On the documentation i found:

+++++++++++++++++++++++++++++++++++++++++++++++++++
Certificates issued by Yealink Certificate Authority (CA) are pre-loaded on Yealink IP
phones and a custom certificate can be uploaded to Yealink IP phones. You can check
whether a built-in device certificate is installed on your phone via phone user interface
only. A built-in device certificate can be either a unique certificate (based on the MAC
address) or a generic certificate. Each certificate is issued by the Yealink Certificate
Authority (CA), so a server can verify that a device is truly a Yealink device (not a
malicious device or software masquerading as a Yealink device).
+++++++++++++++++++++++++++++++++++++++++++++++++++

So my question is:

1 - Where i cant get the Yealink CA to load on the server side ?
2 - How my webserver will know that the client(phone) certificate is valid since each device have a unique certificate ?

My firmware version is v 72 and i'm trying to build a no touch provisioning. Let me know if you need more info from my side.

Thanks in advance,
Ricardo.


RE: Mutual Certificates Xchange using builtin device - James_Yealink - 03-06-2015 09:23 AM

Hi Ricardo,

1. I attached Yealink Root CA. Please check.
2. Though each phone has an unique device certificate but they are all issued by Yealink Root CA. So you just need to import Yealink Root CA to your Browser.

Regards,
James


RE: Mutual Certificates exchange using built device built in cetificate - Ricardo Martins - 03-06-2015 01:47 PM

Hi James,

Thank you for the quick answer.

Two more questions for you:

1 - In order to have a mutual TLS authentication i need to load a custom CA on the phone right(or buy one valid cert from one of the providers)? So my server can send a valid certificate to it...

2 - For provisioning is mandatory to have the mutual authentication enabled or i could just check the phones certificate using the CA root ?

I wan't to build a no touch provisioning, without having to manually load/configure things on the phone.

Cheers,
Ricardo.


RE: Mutual Certificates exchange using built device built in cetificate - James_Yealink - 03-09-2015 09:09 AM

1. Yealink phones have 30 built-in CA, if your CA is included in it then you needn't to load. Or you have to upload a custom root certificate.
The trusted CA list can be found in this guide:
http://www.yealink.com/Upload/T2X/2014219/Using%20Security%20Certificates%20on%20Yealink%20IP%20Phones_V72.1.pdf

2. You can go to Security-> Trusted Certificate to disable "Only Accpet Trusted Certificate", then phone won't authenticate provision server.

Regards,
James


RE: Mutual Certificates exchange using built device built in cetificate - VOIP - 03-11-2015 11:24 PM

Yealink_James,
Does Yealink offer server certificates, if we generate a CSR for you?
This way we know it will always be supported?

We are currently using trusted, but its about to expire -


RE: Mutual Certificates exchange using built device built in cetificate - James_Yealink - 03-12-2015 10:34 AM

It's possible that we offer server certificate using your CSR.
If you need please send the request to your distributor.

Regards,
James


RE: Mutual Certificates exchange using built device built in cetificate - Bluip_Support - 02-04-2019 06:45 PM

(03-06-2015 09:23 AM)James_Yealink Wrote:  Hi Ricardo,

1. I attached Yealink Root CA. Please check.
2. Though each phone has an unique device certificate but they are all issued by Yealink Root CA. So you just need to import Yealink Root CA to your Browser.

Regards,
James

Hello - Do you know if this root CA is supported to all Yealink Models? We have multiple Yealink products and we are planning to use MTLS using default device client cert.