Situation

Secure endpoint provisioning requires an encrypted HTTP connection (HTTPS) between endpoint and server. For this, our phones come equipped with several well known, and commonly used pre-installed certificates issued by trusted authorities such as DigiCert, VeriSign, Thawte, and others. 

If a customer prefers to use his own self-signed certificate, he can do so by uploading the certificate to the phone. This is typically done in a so called staging step , prior to the auto-provisioning of the phone.



1. Configuration File

Prepare a small configuration file with either a download link to where the self-signed certificate is stored, or with the base-64 encoded certificate already pasted in.

Link with download path
<?xml version="1.0" encoding="utf-8" ?>
<certificates>
 <certificate url="http://192.168.1.101/trusted_cert1.DER" />
 <certificate url="http://192.168.1.101/trusted_cert2.DER" />
</certificates>
Certificate within the same file
<?xml version="1.0" encoding="utf-8" ?>
<settings>
<phone-settings e="2">
  [...]
</phone-settings>
<certificate type="base64">
-----BEGIN CERTIFICATE-----
MIICgjCCAiygAwIBAgIJAP3LcHE/YXO0MA0GCSqGSIb3DQEBBQUAMGExCzAJBgNV
BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQxGjAYBgNVBAMTEWxhYi5zbm9tb25lLmxvY2FsMB4XDTEw
MDYyODEzMTUzNFoXDTExMDYyODEzMTUzNFowYTELMAkGA1UEBhMCQVUxEzARBgNV
BAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0
ZDEaMBgGA1UEAxMRbGFiLnNub21vbmUubG9jYWwwXDANBgkqhkiG9w0BAQEFAANL
ADBIAkEAxz7NB5Pc8zIfSklWAbMNOndX8guj73Q9vGz/ESoVXh/N1b5iVTYMTcN7
7dllq8hE3i/7tF7gqoXJjANmjTs2XwIDAQABo4HGMIHDMB0GA1UdDgQWBBT+HGLO
WZoa2iqc4v44Mu6hcqxWxzCBkwYDVR0jBIGLMIGIgBT+HGLOWZoa2iqc4v44Mu6h
cqxWx6FlpGMwYTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAf
BgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEaMBgGA1UEAxMRbGFiLnNu
b21vbmUubG9jYWyCCQD9y3BxP2FztDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
BQUAA0EAJSyG8d3VI9fR14M0VN7+8C/YtI09Lf/X7UHo3FcFpOgISbmM5UH01an9
9wKxhzrIqlM52TAvWrl+mfOJf/MNyQ==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIBOwIBAAJBAMc+zQeT3PMyH0pJVgGzDTp3V/ILo+90Pbxs/xEqFV4fzdW+YlU2
DE3De+3ZZavIRN4v+7Re4KqFyYwDZo07Nl8CAwEAAQJASqh4kSdRunsEiIR0Ssy5
3zeK57J+6iHnZCx/YwIe4ZZlu2qBHvqQYxawNSaUU9grzLNgEv6FVovkARX5eHDv
OQIhAO6PbFz/rOG7Qg8AIWsR8HIgaph9wMsi9OUHnOGY9WVrAiEA1c+cj/0F0kSf
JK/ZoqdOfdf6G5TJzUvBx2QIK3bJO90CICSptiW0xYULmmNjyb8Cysk/YiJ9cRvH
C4wHV3z0XQJxAiEA0oM89Q/8gVCLGEYDlAACaikR2cIfBwDF5Bl7ab/k1gkCIQDZ
urS1O2EogcYakaU0Y5baGNtQZz2WFvh72XgtoCYRAw==
-----END RSA PRIVATE KEY-----
</certificate>



2. Redirect the phone to the certificate file

  • Make sure you have local redirection set up in a secure environment.
  • When the phone boots up, it will fetch the file, download and store the self-signed certificate.
  • On the next boot up, it will use the self-signed certificate to authenticate the provisioning server redirected to.