Yearlink MP56, T58A, T56A, T55A, T48S User Manual

1

Using Security Certificates on Skype for

Business phones

This guide provides the detailed instructions on how to configure and use certificates on Skype

for Business phones. In addition, this guide provides step-by-step instructions on how to create

custom certificates for Skype for Business phones.

This guide applies to the MP56, T58A, T56A, T55A, T48S, T46S, T42S and T41S Skype for

Business phones running firmware version 9 or later and CP960 Skype for Business phones

running firmware version 8 or later.

Introduction

Certificate is an important element in deploying a solution that ensures the integrity and privacy

of communications involving Skype for Business phones.

Three types of certificates are pre-loaded on Skype for Business phones and comply with X.509

standard.

 A unique device certificate: It is installed at the time of manufacture and is unique to a

Skype for Business phone (based on the MAC address) and issued by the Yealink

Certificate Authority (CA).

 A generic device certificate: It is installed by default and is issued by the Yealink

Certificate Authority (CA). If no unique certificate exists, the Skype for Business phone

may send a generic certificate for authentication.

 Trusted certificates (Certificate Authority certificates):

For MP56/T58A/T56A/ T55A/T48S/T46S/T42S/T41S/CP960 Skype for Business phones,

there are 51 trusted certificates installed by default. Refer to Appendix B: Trusted

Certificate Authority List on page 11 for more information.

Using Security Certificates on Skype for Business Phones

2

The following shows an example of a Yealink generic certificate. For the information on

fields of X.509 certificate, refer to Appendix A X.509 Certificate Structure on page 11.

Configuring Trusted Certificates on Skype for Business

phones

When a Skype for Business phone requests an SSL connection with a server, the phone should

verify that whether the server can be trusted. The server sends its certificate to the phone and

the phone verifies this certificate based on its trusted certificates list.

The MP56/T58A/T56A/ T55A/T48S/T46S/T42S/T41S/CP960 Skype for Business phones have

51 built-in trusted certificates. For more information, refer to Appendix B: Trusted Certificate

Authority List on page 11. The phone supports uploading 10 custom trusted certificates (CA

certificates) at most. For more information on customizing a trusted certificate, refer to Appendix

C Creating Custom Certificates on page 13.

Note

Configuring Trusted Certificate via Web User Interface

To upload a trusted certificate via web user interface:

1. Click on Security->Trusted Certificates.

To determine whether a certificate is within its valid time range, check that the time and date on
the phone are configured properly.

Using Security Certificates on Skype for Business Phones

3

2. Click Browse to locate the certificate (*.pem, *.crt, *.cer or *.der) from your local system.

3. Click Upload to upload the certificate.

The information of the custom trusted certificate is displayed on the web user interface of

the Skype for Business phone.

Note

The information of built-in trusted certificates is not displayed on the web user interface of the
Skype for Business phone.

Using Security Certificates on Skype for Business Phones

4

To configure trusted certificates via web user interface:

1. Click on Security->Trusted Certificates.

2. Select the desired value from the pull-down list of Only Accept Trusted Certificates.

 If Enabled is selected, the Skype for Business phone will verify the server certificate

based on the trusted certificates list. Only when the authentication succeeds, the

Skype for Business phone will trust the server.

 If Disabled is selected, the Skype for Business phone will trust the server no matter

whether the certificate received from the server is valid or not.

3. Select the desired value from the pull-down list of Common Name Validation.

 If Enabled is selected, the Skype for Business phone will verify the CommonName or

subjectAltName of the server certificate.

 If Disabled is selected, the Skype for Business phone will not verify the

CommonName or subjectAltName of the server certificate.

4. Select the desired value from the pull-down list of CA Certificates.

 If Default Certificates is selected, the Skype for Business phone will verify the server

certificate based on the built-in trusted certificates list.

 If Custom Certificates is selected, the Skype for Business phone will verify the server

certificate based on the custom trusted certificates list.

 If All Certificates is selected, the Skype for Business phone will verify the server

certificate based on the trusted certificates list, which contains built-in and custom

trusted certificates.

5. Click Confirm to accept the change.

Configuring Trusted Certificate Using Configuration Files

To configure trusted certificates using configuration files:

1. Add/Edit trusted certificates parameters in configuration files.

The following table lists the information of parameters:

Parameters

Permitted Values

Default

Static.trusted_certificates.url

URL within 511

characters

Blank

Description:

Configures the access URL of the custom trusted certificate used to authenticate the

connecting server.

Note: The certificate you want to upload must be in *.pem, *.crt, *.cer or *.der format.

Web User Interface:

Using Security Certificates on Skype for Business Phones

5

Parameters

Permitted Values

Default

Security->Trusted Certificates->Load trusted certificates file

Phone User Interface:

None

Static.security.trust_certificates

0 or 1

1

Description:

Enables or disables the Skype for Business phone to only trust the server certificates in the

Trusted Certificates list.

0-Disabled

1-Enabled

Web User Interface:

Security->Trusted Certificates->Only Accept Trusted Certificates

Phone User Interface:

None

Static.security.cn_validation

0 or 1

0

Description:

Enables or disables the Skype for Business phone to mandatorily validate the

CommonName or SubjectAltName of the certificate sent by the server.

0-Disabled

1-Enabled

Web User Interface:

Security->Trusted Certificates->Common Name Validation

Phone User Interface:

None

Static.security.ca_cert

0, 1 or 2

2

Description:

Configures the type of certificates in the Trusted Certificates list for the Skype for Business

phone to authenticate for TLS connection.

0-Default Certificates

1-Custom Certificates

2-All Certificates

Web User Interface:

Security->Trusted Certificates->CA Certificates

Phone User Interface:

None

Using Security Certificates on Skype for Business Phones

6

The following shows an example of failover configurations for account 1 in the

<y0000000000xx.cfg> configuration file:

static.trusted_certificates.url = http://192.168.1.20/tc.crt

static.security.trust_certificates = 1

static.security.cn_validation = 0

static.security.ca_cert = 2

2. Upload configuration files to the root directory of the provisioning server and trigger Skype

for Business phones to perform an auto provisioning for configuration update.

For more information on auto provisioning, refer to

Yealink_Skype_for_Business_HD_IP_Phones_Auto_Provisioning_Guide.

Configuring Device Certificates on Skype for Business

phones

When a client requests an SSL connection with a Skype for Business phone, the phone sends a

device certificate to the client for authentication.

The phones have two built-in device certificates: a unique and a generic device certificate. The

Skype for Business phone supports uploading one custom device certificate at most. The old

custom device certificate will be overridden by the new one. For more information on

customizing a device certificate, refer to Appendix C Creating Custom Certificates on page 13.

To upload a device certificate via web user interface:

1. Click on Security->Server Certificates.

2. Click Browse to locate the certificate (*.pem and *.cer) from your local system.

3. Click Upload to upload the certificate.