Configuring Security Features217IP phone should verify the certificate sent by the server to decide whether it istrusted based on the trusted certificates list. The IP phone has 30 built-in trustedcertificates. You can upload 10 custom certificates at most. The format of the trustedcertificate files must be *.pem,*.cer,*.crt and *.der and the maximum file size is5MB. For more information on 30 trusted certificates, refer to Appendix C: TrustedCertificates on page 257. Server Certificate: When clients request a TLS connection with the IP phone, the IPphone sends the server certificate to the clients for authentication. The IP phonehas two types of built-in server certificates: a unique server certificate and ageneric server certificate. You can only upload one server certificate to the IPphone. The old server certificate will be overridden by the new one. The format ofthe server certificate files must be *.pem and *.cer and the maximum file size is5MB.- A unique server certificate: It is unique to an IP phone (based on the MACaddress) and issued by the Yealink Certificate Authority (CA).- A generic server certificate: It issued by the Yealink Certificate Authority (CA).Only if no unique certificate exists, the IP phone may send a generic certificatefor authentication.The IP phone can authenticate the server certificate based on the trusted certificates list.The trusted certificates list and the server certificates list contain the default and customcertificates. You can specify the type of certificates the IP phone accepts: defaultcertificates, custom certificates or all certificates.Common Name Validation feature enables the IP phone to mandatorily validate thecommon name of the certificate sent by the connecting server. And Security verificationrules are compliant with RFC 2818.NoteProcedureConfiguration changes can be performed using the configuration files or locally.ConfigurationFile .cfgConfigure trusted certificates feature.Parameters:security.trust_certificatessecurity.ca_certsecurity.cn_validationConfigure server certificates feature.In TLS feature, we use the terms trusted and server certificate. These are also known asCA and device certificates.Resetting the IP phone to factory defaults will delete custom certificates by default. Butthis feature is configurable using the configuration files. For more information on theconfiguration parameter, refer to Transport Layer Security on page 215.