Enhanced Enrollment is an Avaya proprietary mechanism of certificate enrollment based on the Simple Certificate Enrollment Protocol (SCEP). Enhanced Enrollment can be used to manage and deploy Client Identity Certificates at scale using System Manager 8.1.3 or greater as the Certificate Authority. It enables simplified Client Identity Certificate management without the requirement to create and manage a System Manager End Entity for each phone or to manage the End Entity Status during the renewal period.
Enhanced SCEP enrollment
The phone can use Enhanced Enrollment to obtain a new Client Identity Certificate.
Ensure System Manager 8.1.3 or greater is properly configured for Enhanced SCEP. For more information about Manage Entity Classes System Manager, see Avaya Aura System Manager/guide.
As an administrator, you can create an End Entity Class and a common associated password through System Manager.
The End Entity Class password can be configured to expire in the System Manager when devices cannot Enroll for a Client Identity Certificate beyond that date.
Enhanced Enrollment requires the following parameter:
Specifies to use the enhanced SCEP enrollment request. The value of Entity Class is set in the System Manager.
This parameter will be ignored if the phone is not configured for an Aura server environment.
MYCERTURL will be forced to https:// if SCEP_ENTITY_CLASS is defined.
For certificate profiles 2 and 3, use SCEP_ENTITY_CLASS_2 and SCEP_ENTITY_CLASS_3.
Enhanced Enrollment also requires the same parameters to be defined in SCEP with the following notes:
Note:
MYCERTCN, when used with Enhanced SCEP Enroll, must contain at least 1 macro and, optionally, other characters.
If the value contains macro $SERIALNO, it is replaced by the phone serial number in uppercase.
If the value contains macro $MACADDR, it is replaced by the phone MAC address in lowercase without the colon separators.
If the value contains macro $MACADDR_UPPER, it is replaced by the value in uppercase.
System Manager will accept the Enhanced SCEP Enrollment Certificate Signing Request with MYCERTCN value. MYCERTCN string is part of the signed identity certificate returned to the phone.
SCEPPASSWORD will be a common password for all phones that use the same SCEP_ENTITY_CLASS to enroll for a client identity certificate. If a value of SCEPPASSWORD was set to $SERIALNO or $MACADDR or $MACADDR_UPPER, standard SCEP enrollment will be invoked, even if SCEP_ENTITY_CLASS was provided.
Enhanced Renewal
System Manager enables a renewal of the phones Client Identity Certificate based on the ability to establish a Mutual TLS trust using the phones existing Client Identity Certificate. Client Identity Certificates will need to be renewed before they expire. MYCERTRENEW defines when the phone will perform an Enhanced Renewal of an existing Client Identity Certificate.
If the Client Identity Certificate of the phone expires, Enhanced renewal will fail. If the Client Identity Certificate of the phone expires, the certificate must be deleted before the phone attempts an Enhanced SCEP Enrollment.
Enhanced SCEP Renew will also require the same parameters and values as defined during Enhanced SCEP Enrollment with the following notes below.
Note:
SCEP_ENTITY_CLASS must be defined to perform Enhanced SCEP renewal.
MYCERTCN must be the same value as used during Enhanced SCEP Enrollment.
