Use the Device Enrollment Services server to install a client identity certificate on the phone. The phone uses the identity certificate for EAP TLS and mutual TLS authentication.

During mutual TLS authentication, the phone validates the certificate provided by the provisioning server and presents an identity certificate to the provisioning server. To validate the certificate, the provisioning server must trust the root CA certificate used for issuing the phone identity certificate.

You can configure the Device Enrollment Services server so that the phone needs an identity certificate for mutual authentication with the provisioning server. The phone requests for the certificate and then queries the Device Enrollment Services server for the provisioning server URL.

To use this functionality, you must install the Avaya Devices root certificate for issuing identity certificates on the provisioning server.

For more information on installing Device Enrollment Services HSM root certificate, see Avaya Device Enrollment Services documentation.