Can I use self-signed certificates for secure provisioning

Situation

Secure endpoint provisioning requires an encrypted HTTP connection (HTTPS) between endpoint and server. For this, our phones come equipped with several well known, and commonly used pre-installed certificates issued by trusted authorities such as DigiCert, VeriSign, Thawte, and others.

If a customer prefers to use his own self-signed certificate, he can do so by uploading the certificate to the phone. This is typically done in a so called staging step , prior to the auto-provisioning of the phone.

1. Configuration File

Prepare a small configuration file with either a download link to where the self-signed certificate is stored, or with the base-64 encoded certificate already pasted in.

Link with download path

<?xml version="1.0" encoding="utf-8" ?>
<certificates>
 <certificate url="http://192.168.1.101/trusted_cert1.DER" />
 <certificate url="http://192.168.1.101/trusted_cert2.DER" />
</certificates>

Certificate within the same file

<?xml version="1.0" encoding="utf-8" ?>
<settings>
<phone-settings e="2">
  [...]
</phone-settings>
<certificate type="base64">
-----BEGIN CERTIFICATE-----
MIICgjCCAiygAwIBAgIJAP3LcHE/YXO0MA0GCSqGSIb3DQEBBQUAMGExCzAJBgNV
BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQxGjAYBgNVBAMTEWxhYi5zbm9tb25lLmxvY2FsMB4XDTEw
MDYyODEzMTUzNFoXDTExMDYyODEzMTUzNFowYTELMAkGA1UEBhMCQVUxEzARBgNV
BAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0
ZDEaMBgGA1UEAxMRbGFiLnNub21vbmUubG9jYWwwXDANBgkqhkiG9w0BAQEFAANL
ADBIAkEAxz7NB5Pc8zIfSklWAbMNOndX8guj73Q9vGz/ESoVXh/N1b5iVTYMTcN7
7dllq8hE3i/7tF7gqoXJjANmjTs2XwIDAQABo4HGMIHDMB0GA1UdDgQWBBT+HGLO
WZoa2iqc4v44Mu6hcqxWxzCBkwYDVR0jBIGLMIGIgBT+HGLOWZoa2iqc4v44Mu6h
cqxWx6FlpGMwYTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAf
BgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEaMBgGA1UEAxMRbGFiLnNu
b21vbmUubG9jYWyCCQD9y3BxP2FztDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
BQUAA0EAJSyG8d3VI9fR14M0VN7+8C/YtI09Lf/X7UHo3FcFpOgISbmM5UH01an9
9wKxhzrIqlM52TAvWrl+mfOJf/MNyQ==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIBOwIBAAJBAMc+zQeT3PMyH0pJVgGzDTp3V/ILo+90Pbxs/xEqFV4fzdW+YlU2
DE3De+3ZZavIRN4v+7Re4KqFyYwDZo07Nl8CAwEAAQJASqh4kSdRunsEiIR0Ssy5
3zeK57J+6iHnZCx/YwIe4ZZlu2qBHvqQYxawNSaUU9grzLNgEv6FVovkARX5eHDv
OQIhAO6PbFz/rOG7Qg8AIWsR8HIgaph9wMsi9OUHnOGY9WVrAiEA1c+cj/0F0kSf
JK/ZoqdOfdf6G5TJzUvBx2QIK3bJO90CICSptiW0xYULmmNjyb8Cysk/YiJ9cRvH
C4wHV3z0XQJxAiEA0oM89Q/8gVCLGEYDlAACaikR2cIfBwDF5Bl7ab/k1gkCIQDZ
urS1O2EogcYakaU0Y5baGNtQZz2WFvh72XgtoCYRAw==
-----END RSA PRIVATE KEY-----
</certificate>

2. Redirect the phone to the certificate file

Make sure you have local redirection set up in a secure environment.
When the phone boots up, it will fetch the file, download and store the self-signed certificate.
On the next boot up, it will use the self-signed certificate to authenticate the provisioning server redirected to.

Further Information

Related articles

Page:

802.1X
Page:

<tbook>,<phone-book> tag
Page:

A150 / A170 DECT Encryption
Page:

Adding additional settings to Snom Phones on innovaphone PBX
Page:

Basic setting provisioning via DHCP
Page:

Can I provide encrypted user passwords via mass deployment
Page:

Can I use self-signed certificates for secure provisioning
Page:

Can I use two snom phones for VPN without additional equipment
Page:

Configuring VPN on Snom Deskphones
Page:

D120 segfault
Page:

DECT - Beacons Provisioning - How To
Page:

DECT Beacons - Rx, Tx
Page:

DECT M-Series Provisioning
Page:

Does this phone series support encrypted calls via TLS and SRTP
Page:

Dynamic Blacklist Check

Page tree

Can I use self-signed certificates for secure provisioning

Situation

1. Configuration File

2. Redirect the phone to the certificate file