09-29-2020 10:51 AM
Hello,
We noticed that when using Secure device profiles for Jabber clients, that if a user tries to login to another PC, another jabber client, that we have to download the capf certificate again for the new client. If the user then goes back to the first client than we have to download capf again, every time the user changes PC's / clients, they need capf reinstalled, is this normal? Is there a workaround?
Thanks,
Chuck Reid
Solved! Go to Solution.
09-29-2020 01:57 PM - edited 09-29-2020 01:57 PM
If you wish to use secure profile, yes, CAPF only tracks one certificate which was generated by the device when they enrolled and as explained, the private key the device generated is never exposed. Each time you use a different device, you generate new certificates and new keys only valid to that device.
This is not a problem for IP Phones, but this is expected with soft clients.
09-29-2020 11:08 AM
When the phone interacts with CAPF, the phone authenticates itself to CAPF by using an authentication string, existing MIC or LSC certificate, or “null,” generates its public key and private key pair, and then forwards its public key to the CAPF server in a signed message. The private key remains in the phone and never gets exposed externally. CAPF signs the phone certificate and then sends the certificate back to the phone in a signed message.
09-29-2020 11:13 AM
I reviewed that doc but i don't see a way to avoid the problem of users logging in to jabber from multiple PC's, do you know of a way to mitigate the behavior?
09-29-2020 11:28 AM
That's WAD, read again, highlighted the key points to understand this:
When the phone interacts with CAPF, the phone authenticates itself to CAPF by using an authentication string, existing MIC or LSC certificate, or “null,” generates its public key and private key pair, and then forwards its public key to the CAPF server in a signed message. The private key remains in the phone and never gets exposed externally. CAPF signs the phone certificate and then sends the certificate back to the phone in a signed message.
Above is a 1:1 relationship between CAPF and the device.
09-29-2020 11:55 AM
So, does that mean that there is no workaround for users who log into Jabber from more than one client PC?
Anytime a user changes which PC they log onto with Jabber that we will need to set capf to install a new certificate?
Thanks,
Chuck
09-29-2020 01:57 PM - edited 09-29-2020 01:57 PM
If you wish to use secure profile, yes, CAPF only tracks one certificate which was generated by the device when they enrolled and as explained, the private key the device generated is never exposed. Each time you use a different device, you generate new certificates and new keys only valid to that device.
This is not a problem for IP Phones, but this is expected with soft clients.
09-30-2020 07:39 AM
Thanks very much for explaining that to me!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide