Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
2978
Views
5
Helpful
0
Comments

Setup MTLS for secure provisioning of MPP phones

jeboer
Cisco Employee
Cisco Employee

on ‎09-23-2017 08:20 AM - edited on ‎11-19-2019 09:06 AM by Cisco Employee

When phones are being provisioned they will traditionally use TFTP or HTTP. While working it would be better to add a layer of security by enabling HTTP_over_TLS (known as HTTPS) and combined with Authentication by either UID/PWD or an encrypted configuration file.


By enabling HTTPS between he provisioning server the client can verify the identity of this server, this can be done with a self signed certificate or a certificate signed by a well-known Root CA. If the server is signed with a self-signed certificate this will throw an SSL error on the phone (as it can't verify the identity of the certificate). To work around this the MPP phones support a custom CA rule allowing the customer to install a Certificate(Chain) on the phone to be used to verify the identity of the server.

HTTPS is useful for client/server communication where the client is "anonymous" like a browser visiting cisco.com. From a security point of view it would make sense to verify also the identity of the client (phone) when accessing phone services. Don't mistake this Authentication (verify identity) for Authorisation (access to a resource)!. To create this authentication both ways we configure MTLS (Mutual Transport Layer Security) on the provisioning server where during the HTTPS handshake both parties verify each identity.

 

Version/Changes

0.1 Initial document to setup TLS and MTLS on systems running Apache or Nginx.

 

Create Self Signed Certificate

An easy way to create a self signed certificate is to use openssl with the following command:

 

 

openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout my_self_signed_key.key -out my_self_signed_cert.crt

 

req: tells openssl to create a CSR (certificate Signing Request) for a public key (of the server) following the PKCS#10 standard which creates a X.509 certificate.

x509: tells openssl to create a self signing request rather then a CSR (certificate Signing Request)

nodes: output is not encrypted

days: is the amount of days the created certificate is valid

newkey: creates an RSA key with a length specified after the colon (4096 bits in the example)

keyout: filename of the key created (can include path to key)

out: filename of the signed certificate created

 

Remark: when you create a self signed certificate in a lab setup (and don't use a DNS/BIND server) use the IP address of the public interface of that server, otherwise the certificate validation will fail as the FQDN of the server can't be matched against the IP address.

 

Other preparation

Login to EDOS (Cisco redirect service) and download the combined certificate chain

 

Apache

The basic steps to enable TLS (HTTPS) and in bold italic the additional config for MTLS.

 

  • First we make sure the certificates and the key are in the right location.
    copy the certificates to /etc/ssl/certs Do this for both certificates (the self_signed_certificate just created and the downloaded certificate from EDOS. The /etc/ssl/certs directory is normally already available on the server.
    • sudo cp *.crt /etc/ssl/certs/
  • create a directory containing the private key /etc/ssl/private
    • sudo mkdir /etc/ssl/private
  • limit access to the directory containing the private key to accessible only by the owner/creator
    • sudo chmod 700 /etc/ssl/private
  • copy private key to the the newly created directory
    • sudo cp *.key /etc/ssl/private/
  • create a ssl.conf file in the directory containing the other Nginx configuration files (/etc/nginx/conf.d/)
    • sudo cd /etc/httpd/conf.d
    • sudo touch /etc/httpd/conf.d/ssl.conf
    • sudo vi /etc/httpd/conf.d/ssl.conf
  • add/change the following lines to ssl.conf
    • Go to the virtual host section <VirtualHost _default_:443> in the file

# un-comment the following lines and change them to the directory containing the files for the phones:

DocumentRoot "/var/www/html"

# ServerName my_server_ip_address
ServerName 192.168.1.1:443

# change the following lines to point to your certificates

# location to the server certificate

SSLCertificateFile /etc/ssl/certs/my_self_signed_cert.crt

# location to the server key
SSLCertificateKeyFile /etc/ssl/private/my_self_signed_key.key

# location of the certificate chain used for verifying the client identity

SSLCACertificateFile /etc/ssl/certs/combinedcaBE.crt

# turn on the verification of the client certificate

SSLVerifyClient require

# set the depth to which the certificate chain is used to verify the clients
SSLVerifyDepth 3

 

# the rest of the configuration can be kept default.

 

  • before starting/restarting apache please verify the configuration with the following command:
    • sudo apachectl configtest

 

Nginx

The basic steps to enable TLS (HTTPS) and in bold italic the additional config for MTLS.

 

  • First we make sure the certificates and the key are in the right location.
    copy the certificates to /etc/ssl/certs Do this for both certificates (the self_signed_certificate just created and the downloaded certificate from EDOS. The /etc/ssl/certs directory is normally already available on the server.
    • sudo cp *.crt /etc/ssl/certs/
  • create a directory containing the private key /etc/ssl/private
    • sudo mkdir /etc/ssl/private
  • limit access to the directory containing the private key to accessible only by the owner/creator
    • sudo chmod 700 /etc/ssl/private
  • copy private key to the the newly created directory
    • sudo cp *.key /etc/ssl/private/
  • create a ssl.conf file in the directory containing the other Nginx configuration files (/etc/nginx/conf.d/)
    • sudo cd /etc/nginx/conf.d
    • sudo touch /etc/nginx/conf.d/ssl.conf
    • sudo vi /etc/nginx/conf.d/ssl.conf
  • add/change the following lines to ssl.conf

server {

   # tells the server to listen to port 443 for https
   listen 443 http2 ssl;

   # server_name 192.168.1.1

   server_name my_server_ip_address;

 

   # location to the server certificate

   ssl_certificate /etc/ssl/certs/my_self_signed_cert.crt;

   # location to the server key
   ssl_certificate_key /etc/ssl/private/my_self_signed_key.key;

   # location of the certificate chain used for verifying the client identity.

   ssl_client_certificate /etc/ssl/certs/combinedcaBE.crt;

   # turn on the verification of the client certificate

   ssl_verify_client on;

   # set the depth to which the certificate chain is used to verify the clients
   ssl_verify_depth 3;

   # protocols accepted
   ssl_protocols TLSv1.2 TLSv1.1;

   # prefer server ciphers above client cipher proposals
   ssl_prefer_server_ciphers on;

   # the list of enabled ciphers depending on the version of openssl installed on the server.

   # use openssl ciphers to get    

   # a full list of supported ciphers
   ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";

   # time the client can use the session parameters

   ssl_session_timeout 5m;

 

   location / {

      root /path_to_your_files/;

   }

 

  • before starting/reloading the nginx server issue nginx -t to verify the configuration files.

 

Broadsoft

 Add add later stage

Links to resources

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents