02-07-2011 08:16 AM - edited 03-16-2019 03:18 AM
Our security group is asking me for the certificates used to encrypt the RTP between phones in our secure cluster. I'm looking under "System --> Security --> Certificates" in CUCM but am confused by all the certs there. Which certs are used for the actual encryption in a phone call between two secured IP phones? I've attached a screenshot as well of the certs in my CUCM.
Thanks!
Solved! Go to Solution.
02-12-2011 07:13 PM
The Locally Significant Certificate (LSC) or Manufacture Installed Certificate (MIC), however the LSC is recommended. The LSC's are not on the call manager under certificate management on the operating system (OS) Administration page. The only cert that is used to pass the LSC to the phone is the CAPF to secure the channel to pass the LSC, and the phone get's it's CAPF cert from the CTL file. If you're using MIC's on the phone then the CiscoManufacturingCA on the OS administration page is the root certificate for what the phones are using.
02-17-2011 02:43 PM
You have to go to the CCMAdmin page, Device > Phone and find the phone you are interested in looking at the LSC for. Change the section for CAPF Operation from "No Operation Pending" to "Install Upgrade" and click save. Reset the phone after this and then the certificate should be in the trace location for CAPF. Using RTMT you can do a collect files and then a remote browse for the Cisco Certificate Authority Proxy Function. In that directory you'll see a file with the phone's MAC address that's the certificate you can view.
02-11-2011 07:39 AM
Here is a good document which explains this. There is also a good checklist. This is the document of cucm 7.1.2, which it has not changed much in other versions. You will need to install a ctl client and run that with the usb keys you wil need to purchase, it will then install a certificate in which cucm uses.
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/security/7_1_2/secugd/secuphne.html
basically the Cisco Unified Communications Manager installation creates a self-signed certificate on the Cisco Unified Communications Manager and TFTP server. You may also choose to use a third-party, CA-signed certificate for Cisco Unified Communications Manager instead of the self-signed certificate. After you configure authentication, Cisco Unified Communications Manager uses the certificate to authenticate with supported Cisco Unified IP Phones. After a certificate exists on the Cisco Unified Communications Manager and TFTP server, Cisco Unified Communications Manager does not reissue the certificates during each Cisco Unified Communications Manager upgrade. You must create a new CTL file with the new certificate entries.
Capf certs info is here
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/security/7_1_2/secugd/secucapf.html#wpxref62370
thanks
02-12-2011 07:13 PM
The Locally Significant Certificate (LSC) or Manufacture Installed Certificate (MIC), however the LSC is recommended. The LSC's are not on the call manager under certificate management on the operating system (OS) Administration page. The only cert that is used to pass the LSC to the phone is the CAPF to secure the channel to pass the LSC, and the phone get's it's CAPF cert from the CTL file. If you're using MIC's on the phone then the CiscoManufacturingCA on the OS administration page is the root certificate for what the phones are using.
02-17-2011 12:54 PM
We are using LSC on our phones. How can I get a copy of the LSC that the phones are using if I can't get it off of CUCM?
Thanks, Jeff
02-17-2011 02:43 PM
You have to go to the CCMAdmin page, Device > Phone and find the phone you are interested in looking at the LSC for. Change the section for CAPF Operation from "No Operation Pending" to "Install Upgrade" and click save. Reset the phone after this and then the certificate should be in the trace location for CAPF. Using RTMT you can do a collect files and then a remote browse for the Cisco Certificate Authority Proxy Function. In that directory you'll see a file with the phone's MAC address that's the certificate you can view.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide