SCEP
Simple Certificate Enrollment Process (SCEP) is a method for deploying client identity certificates. The J100 phone uses SCEP to enroll and obtain a new client identity certificate and continues to use SCEP to renew the certificate as needed.
SCEP Enrollment
During boot-up, the J100 phone initializes and defines SCEP enrollment details for the Client Identity Certificate Signing Request (CSR) based on the parameters in the table below.
To configure SCEP enrollment, ensure that your Public Key Infrastructure (PKI) server, such as Avaya Aura® System Manager, has a corresponding configuration. You must create an end entity with a matching Common Name (CN) and password.
|
Parameter
|
Type
|
Default value
|
Description
|
|---|---|---|---|
|
MYCERTURL, MYCERTURL_2, MYCERTURL_3
|
String
|
|
Specifies the URL to access the SCEP server. The phone attempts to contact the server only if this parameter is set. Use MYCERTURL_2 and MYCERTURL_3 for additional profiles.
|
|
MYCERTKEYLEN, MYCERTKEYLEN_2, MYCERTKEYLEN3
|
Integer
|
|
Specifies the bit length of the public and private keys generated for the SCEP certificate request.
The value is a 4 ASCII numeric digits. The phone supports the values 2048 and 4096. Invalid values are ignored.
The 4096 key size delays boot-up during the initial key generation and certificate enrollment.
Use MYCERTKEYLEN_2 and MYCERTKEYLEN3 for additional profiles.
|
|
MYCERTCN, MYCERTCN_2, MYCERTCN_3
|
String
|
|
Specifies the Common Name (CN) for the certificate request. This value serves as the username associated with the end entity in the SCEP server. The value must contain at least one macro:
To enable enhanced certificate renewal in Avaya Aura® System Manager 8.1.3 and later, this value must remain unchanged from the one used in the existing identity certificate.
If a new value is required, remove SCEP_ENTITY_CLASS or delete the existing certificate using DELETE_MY_CERT before reinstalling a new one. Use MYCERTCN_2 and MYCERTCN_3 for additional profiles.
|
|
MYCERTDN, MYCERTDN_2, MYCERTDN_3
|
String
|
|
Defines the common Distinguished Name (DN) portion of the SCEP certificate request. This value typically includes Organizational Unit, Organization, Location, State, and Country information.
To enable enhanced certificate renewal in Avaya Aura® System Manager 8.1.3 and later, this value must remain unchanged from the one used in the existing certificate.
If a new value is required, remove SCEP_ENTITY_CLASS or delete the existing certificate using DELETE_MY_CERT before reinstalling a new one. Use MYCERTDN_2 and MYCERTDN_3 for additional profiles.
|
|
MYCERTCAID, MYCERTCAID_2, MYCERTCAID_3
|
String
|
|
Specifies the Certificate Authority (CA) Identifier. Some CA servers require a specific identifier string for GetCA requests. If required, set this parameter to match the CA requirements. Use MYCERTCAID_2 and MYCERTCAID_3 for additional profiles.
|
|
SCEPENCALG, SCEPENCALG_2, SCEPENCALG_3
|
Numeric
|
|
Specifies SCEP Encryption Algorithm.
Value operation:
For certificate profiles 2 and 3, use SCEPENCALG_2 and SCEPENCALG_3.
|
|
SCEPPASSWORD, SCEPPASSWORD_2, SCEPPASSWORD_3
|
String
|
|
Specifies a challenge password to use with SCEP. The value of SCEPPASSWORD, if non-null, is included in a challenge Password attribute in SCEP certificate signing requests.
If the value contains
To use enhanced certificate renewal in System Manager 8.1.3 and later, SCEPPASSWORD value cannot be empty. It can be set to a variable such as
If renewal or enrollment of a certificate is performed using standard SCEP protocol, the parameter SCEP_ENTITY_CLASS must be removed.
For certificate profiles 2 and 3, use SCEPPASSWORD_2 and SCEPPASSWORD_3.
|
|
SCEP_USAGE, SCEP_2_USAGE, SCEP_3_USAGE
|
String
|
|
Specify the list of services for which the certificate assigned to the SCEP profile should be applied.
Must be a comma-separated list, case-insensitive.
Available services are the following:
SIP
Provisioning
802.1x
LDAP
Ring Central
Push
PPM
XSI
Syslog
All
Default is All.
You can exclude one service using ! before the service name in the list. For example, All,!SIP will assign all available services except SIP.
|
Note:
The phone does not perform SCEP enrollment if a Client Identity Certificate is installed through SCEP.
To observe Client Identity Certificates installed on the phone, see Viewing the installed certificates using the web interface.
To observe a proactive notification when Client Identity Certificates approach expiry, see Expiry Warning.
To delete Client Identity Certificates, see Parameters for deleting multiple identity certificates.
SCEP Renewal
The following parameter defines when the J100 phone initiates SCEP renewal for an existing Client Identity Certificate installed through SCEP:
|
Parameter
|
Type
|
Default value
|
Description
|
|---|---|---|---|
|
MYCERTRENEW, MYCERTRENEW_2, MYCERTRENEW_3
|
Numeric
|
|
Specifies the percentage of validity period of the certificate, after which the phone initiates the renewal procedure through SCEP. The value determines the renewal time based on the certificate’s validity period. The range is from 1 to 99 percent.
For example, if MYCERTRENEW is set to 90 and the certificate’s validity is 365 days, renewal begins 36.5 days before expiration ((365)-(365*90%)= 36.5 days).
After a successful renewal, the phone uses the new certificate for all new TLS connections while existing TLS connections remain active.
If the phone fails to renew the certificate, it retries every 24 hours.
When using Avaya Aura® System Manager as the SCEP Certificate Authority (CA), ensure that the End Entity Status for the device is set to "New".
For additional certificate profiles, use MYCERTRENEW_2 and MYCERTRENEW_3.
|
Note:
SCEP renewal also requires the same parameters and values used during the initial SCEP enrollment.