Mutual Certificates exchange using built device built in cetificate

[Ricardo Martins]

Hi Folks,

I'm tying to set my web server and phones to do mutual certificates exchange on HTTPS provisioning.

On the documentation i found:

+++++++++++++++++++++++++++++++++++++++++++++++++++
Certificates issued by Yealink Certificate Authority (CA) are pre-loaded on Yealink IP
phones and a custom certificate can be uploaded to Yealink IP phones. You can check
whether a built-in device certificate is installed on your phone via phone user interface
only. A built-in device certificate can be either a unique certificate (based on the MAC
address) or a generic certificate. Each certificate is issued by the Yealink Certificate
Authority (CA), so a server can verify that a device is truly a Yealink device (not a
malicious device or software masquerading as a Yealink device).
+++++++++++++++++++++++++++++++++++++++++++++++++++

So my question is:

1 - Where i cant get the Yealink CA to load on the server side ?
2 - How my webserver will know that the client(phone) certificate is valid since each device have a unique certificate ?

My firmware version is v 72 and i'm trying to build a no touch provisioning. Let me know if you need more info from my side.

Thanks in advance,
Ricardo.

[James_Yealink]

Hi Ricardo,

1. I attached Yealink Root CA. Please check.
2. Though each phone has an unique device certificate but they are all issued by Yealink Root CA. So you just need to import Yealink Root CA to your Browser.

Regards,
James

[Ricardo Martins]

Hi James,

Thank you for the quick answer.

Two more questions for you:

1 - In order to have a mutual TLS authentication i need to load a custom CA on the phone right(or buy one valid cert from one of the providers)? So my server can send a valid certificate to it...

2 - For provisioning is mandatory to have the mutual authentication enabled or i could just check the phones certificate using the CA root ?

I wan't to build a no touch provisioning, without having to manually load/configure things on the phone.

Cheers,
Ricardo.

[James_Yealink]

1. Yealink phones have 30 built-in CA, if your CA is included in it then you needn't to load. Or you have to upload a custom root certificate.
The trusted CA list can be found in this guide:
http://www.yealink.com/Upload/T2X/201421..._V72.1.pdf

2. You can go to Security-> Trusted Certificate to disable "Only Accpet Trusted Certificate", then phone won't authenticate provision server.

Regards,
James

[VOIP]

Yealink_James,
Does Yealink offer server certificates, if we generate a CSR for you?
This way we know it will always be supported?

We are currently using trusted, but its about to expire -

[James_Yealink]

It's possible that we offer server certificate using your CSR.
If you need please send the request to your distributor.

Regards,
James

[Bluip_Support]

(03-06-2015 09:23 AM)James_Yealink Wrote:  Hi Ricardo,

1. I attached Yealink Root CA. Please check.
2. Though each phone has an unique device certificate but they are all issued by Yealink Root CA. So you just need to import Yealink Root CA to your Browser.

Regards,
James

Hello - Do you know if this root CA is supported to all Yealink Models? We have multiple Yealink products and we are planning to use MTLS using default device client cert.

[tonipamies]

(03-06-2015 09:23 AM)James_Yealink Wrote:  Hi Ricardo,

1. I attached Yealink Root CA. Please check.
2. Though each phone has an unique device certificate but they are all issued by Yealink Root CA. So you just need to import Yealink Root CA to your Browser.

Regards,
James

Hi, I try this CA with Yealink T46G, and it doesn't work. Can you help me ?