New Forum system requires email address which you used to apply for your account to replace your original username. Password stays the same.Please see this post for more details
http://forum.yealink.com/forum/showthread.php?tid=40344

Yealink Test Club has been officially launched. Please visit post below to get detail information. Come and join us!
http://forum.yealink.com/forum/announcements.php?aid=18

We just had the YMCS online and we are also working on the features plan on the future versions, in this regard we are need to hear your voice about the YMCS.
Please visit : http://forum.yealink.com/forum/showthread.php?tid=42322


Post Reply 
 
Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Mutual Certificates exchange using built device built in cetificate
Author Message
Ricardo Martins Offline
Junior Member
**

Posts: 4
Joined: Oct 2013
Reputation: 0
Post: #1
Question Mutual Certificates exchange using built device built in cetificate
Hi Folks,

I'm tying to set my web server and phones to do mutual certificates exchange on HTTPS provisioning.

On the documentation i found:

+++++++++++++++++++++++++++++++++++++++++++++++++++
Certificates issued by Yealink Certificate Authority (CA) are pre-loaded on Yealink IP
phones and a custom certificate can be uploaded to Yealink IP phones. You can check
whether a built-in device certificate is installed on your phone via phone user interface
only. A built-in device certificate can be either a unique certificate (based on the MAC
address) or a generic certificate. Each certificate is issued by the Yealink Certificate
Authority (CA), so a server can verify that a device is truly a Yealink device (not a
malicious device or software masquerading as a Yealink device).
+++++++++++++++++++++++++++++++++++++++++++++++++++

So my question is:

1 - Where i cant get the Yealink CA to load on the server side ?
2 - How my webserver will know that the client(phone) certificate is valid since each device have a unique certificate ?

My firmware version is v 72 and i'm trying to build a no touch provisioning. Let me know if you need more info from my side.

Thanks in advance,
Ricardo.
(This post was last modified: 03-06-2015 01:36 PM by Ricardo Martins.)
03-06-2015 05:21 AM
Find all posts by this user    like0    dislike0 Quote this message in a reply
James_Yealink Offline
Administrator
*******

Posts: 1,159
Joined: Aug 2014
Reputation: 8
Post: #2
RE: Mutual Certificates Xchange using builtin device
Hi Ricardo,

1. I attached Yealink Root CA. Please check.
2. Though each phone has an unique device certificate but they are all issued by Yealink Root CA. So you just need to import Yealink Root CA to your Browser.

Regards,
James


Attached File(s)
.zip  Yealink Equipment Issuing CA.zip (Size: 1.82 KB / Downloads: 78)
03-06-2015 09:23 AM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Ricardo Martins Offline
Junior Member
**

Posts: 4
Joined: Oct 2013
Reputation: 0
Post: #3
RE: Mutual Certificates exchange using built device built in cetificate
Hi James,

Thank you for the quick answer.

Two more questions for you:

1 - In order to have a mutual TLS authentication i need to load a custom CA on the phone right(or buy one valid cert from one of the providers)? So my server can send a valid certificate to it...

2 - For provisioning is mandatory to have the mutual authentication enabled or i could just check the phones certificate using the CA root ?

I wan't to build a no touch provisioning, without having to manually load/configure things on the phone.

Cheers,
Ricardo.
03-06-2015 01:47 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
James_Yealink Offline
Administrator
*******

Posts: 1,159
Joined: Aug 2014
Reputation: 8
Post: #4
RE: Mutual Certificates exchange using built device built in cetificate
1. Yealink phones have 30 built-in CA, if your CA is included in it then you needn't to load. Or you have to upload a custom root certificate.
The trusted CA list can be found in this guide:
http://www.yealink.com/Upload/T2X/201421..._V72.1.pdf

2. You can go to Security-> Trusted Certificate to disable "Only Accpet Trusted Certificate", then phone won't authenticate provision server.

Regards,
James
(This post was last modified: 03-09-2015 09:10 AM by James_Yealink.)
03-09-2015 09:09 AM
Find all posts by this user    like0    dislike0 Quote this message in a reply
VOIP Offline
Member
***

Posts: 52
Joined: Nov 2012
Reputation: 0
Post: #5
RE: Mutual Certificates exchange using built device built in cetificate
Yealink_James,
Does Yealink offer server certificates, if we generate a CSR for you?
This way we know it will always be supported?

We are currently using trusted, but its about to expire -
03-11-2015 11:24 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
James_Yealink Offline
Administrator
*******

Posts: 1,159
Joined: Aug 2014
Reputation: 8
Post: #6
RE: Mutual Certificates exchange using built device built in cetificate
It's possible that we offer server certificate using your CSR.
If you need please send the request to your distributor.

Regards,
James
03-12-2015 10:34 AM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Bluip_Support Offline
Junior Member
**

Posts: 1
Joined: Jun 2017
Reputation: 0
Post: #7
RE: Mutual Certificates exchange using built device built in cetificate
(03-06-2015 09:23 AM)James_Yealink Wrote:  Hi Ricardo,

1. I attached Yealink Root CA. Please check.
2. Though each phone has an unique device certificate but they are all issued by Yealink Root CA. So you just need to import Yealink Root CA to your Browser.

Regards,
James

Hello - Do you know if this root CA is supported to all Yealink Models? We have multiple Yealink products and we are planning to use MTLS using default device client cert.
02-04-2019 06:45 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Post Reply 


Possibly Related Threads...
Thread: Author Replies: Views: Last Post
  Change admin password by using Device Management Platform 1.0.0.25 Bertin 6 4,006 05-14-2019 01:45 PM
Last Post: joegellen20
  About HTTPS certificates and trust TrK 8 4,330 06-05-2018 02:14 AM
Last Post: Travis_Yealink
  Need help with RPS configuration of server and device. chidado 2 2,837 11-25-2017 05:36 AM
Last Post: chidado
  rps xmlrpc - add device with serverurl only bpps 2 3,058 06-06-2017 01:03 AM
Last Post: Torontob
  3CX Provisioning with Certificates for Secure SIP 3CTechnology 3 6,416 11-23-2016 10:00 AM
Last Post: Kevin_Yealink
  HTTPS Certificates TomJagustin 2 5,632 10-27-2016 04:56 PM
Last Post: jondaley
  SHA1 certificates: A BIG problem lonvoice 3 4,795 04-06-2016 10:13 PM
Last Post: bsanders
  Detection of device model sjamaan 1 2,472 12-04-2015 07:15 PM
Last Post: Karl_Yealink

Forum Jump:


User(s) browsing this thread: 1 Guest(s)

Contact Us   Yealink   Return to Top   Return to Content   Lite (Archive) Mode   RSS Syndication