Simple Certificate Enrollment Process (SCEP) is a method for deploying client identity certificates. The J100 phone uses SCEP to enroll and obtain a new client identity certificate and continues to use SCEP to renew the certificate as needed.
SCEP Enrollment
During boot-up, the J100 phone initializes and defines SCEP enrollment details for the Client Identity Certificate Signing Request (CSR) based on the parameters in the table below.
To configure SCEP enrollment, ensure that your Public Key Infrastructure (PKI) server, such as Avaya Aura® System Manager, has a corresponding configuration. You must create an end entity with a matching Common Name (CN) and password.
Parameter
Type
Default value
Description
MYCERTURL, MYCERTURL_2, MYCERTURL_3
String
Specifies the URL to access the SCEP server. The phone attempts to contact the server only if this parameter is set. Use MYCERTURL_2 and MYCERTURL_3 for additional profiles.
MYCERTKEYLEN, MYCERTKEYLEN_2, MYCERTKEYLEN3
Integer
Specifies the bit length of the public and private keys generated for the SCEP certificate request.
The value is a 4 ASCII numeric digits. The phone supports the values 2048 and 4096. Invalid values are ignored.
The 4096 key size delays boot-up during the initial key generation and certificate enrollment.
Use MYCERTKEYLEN_2 and MYCERTKEYLEN3 for additional profiles.
MYCERTCN, MYCERTCN_2, MYCERTCN_3
String
Specifies the Common Name (CN) for the certificate request. This value serves as the username associated with the end entity in the SCEP server. The value must contain at least one macro:
, but in uppercase.
To enable enhanced certificate renewal in Avaya Aura® System Manager 8.1.3 and later, this value must remain unchanged from the one used in the existing identity certificate.
If a new value is required, remove SCEP_ENTITY_CLASS or delete the existing certificate using DELETE_MY_CERT before reinstalling a new one. Use MYCERTCN_2 and MYCERTCN_3 for additional profiles.
MYCERTDN, MYCERTDN_2, MYCERTDN_3
String
Defines the common Distinguished Name (DN) portion of the SCEP certificate request. This value typically includes Organizational Unit, Organization, Location, State, and Country information.
To enable enhanced certificate renewal in Avaya Aura® System Manager 8.1.3 and later, this value must remain unchanged from the one used in the existing certificate.
If a new value is required, remove SCEP_ENTITY_CLASS or delete the existing certificate using DELETE_MY_CERT before reinstalling a new one. Use MYCERTDN_2 and MYCERTDN_3 for additional profiles.
MYCERTCAID, MYCERTCAID_2, MYCERTCAID_3
String
Specifies the Certificate Authority (CA) Identifier. Some CA servers require a specific identifier string for GetCA requests. If required, set this parameter to match the CA requirements. Use MYCERTCAID_2 and MYCERTCAID_3 for additional profiles.
SCEPENCALG, SCEPENCALG_2, SCEPENCALG_3
Numeric
Specifies SCEP Encryption Algorithm.
Value operation:
For certificate profiles 2 and 3, use SCEPENCALG_2 and SCEPENCALG_3.
SCEPPASSWORD, SCEPPASSWORD_2, SCEPPASSWORD_3
String
Specifies a challenge password to use with SCEP. The value of SCEPPASSWORD, if non-null, is included in a challenge Password attribute in SCEP certificate signing requests.
If the value contains
is replaced by the phone serial number in uppercase. If the value contains
is replaced by the phone MAC address in lowercase without the colon separators.
To use enhanced certificate renewal in System Manager 8.1.3 and later, SCEPPASSWORD value cannot be empty. It can be set to a variable such as
.
If renewal or enrollment of a certificate is performed using standard SCEP protocol, the parameter SCEP_ENTITY_CLASS must be removed.
For certificate profiles 2 and 3, use SCEPPASSWORD_2 and SCEPPASSWORD_3.
SCEP_USAGE, SCEP_2_USAGE, SCEP_3_USAGE
String
Specify the list of services for which the certificate assigned to the SCEP profile should be applied.
Must be a comma-separated list, case-insensitive.
Available services are the following:
SIP
Provisioning
802.1x
LDAP
Ring Central
Push
PPM
XSI
Syslog
All
Default is All.
You can exclude one service using ! before the service name in the list. For example, All,!SIP will assign all available services except SIP.
Note:
The phone does not perform SCEP enrollment if a Client Identity Certificate is installed through SCEP.
The following parameter defines when the J100 phone initiates SCEP renewal for an existing Client Identity Certificate installed through SCEP:
Parameter
Type
Default value
Description
MYCERTRENEW, MYCERTRENEW_2, MYCERTRENEW_3
Numeric
Specifies the percentage of validity period of the certificate, after which the phone initiates the renewal procedure through SCEP. The value determines the renewal time based on the certificate’s validity period. The range is from 1 to 99 percent.
For example, if MYCERTRENEW is set to 90 and the certificate’s validity is 365 days, renewal begins 36.5 days before expiration ((365)-(365*90%)= 36.5 days).
After a successful renewal, the phone uses the new certificate for all new TLS connections while existing TLS connections remain active.
If the phone fails to renew the certificate, it retries every 24 hours.
When using Avaya Aura® System Manager as the SCEP Certificate Authority (CA), ensure that the End Entity Status for the device is set to "New".
For additional certificate profiles, use MYCERTRENEW_2 and MYCERTRENEW_3.
Note:
SCEP renewal also requires the same parameters and values used during the initial SCEP enrollment.
