cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1444
Views
0
Helpful
4
Replies

Certificates Used for Secure RTP

jmunoz19
Level 4
Level 4

Our security group is asking me for the certificates used to encrypt the RTP between phones in our secure cluster.  I'm looking under "System --> Security --> Certificates" in CUCM but am confused by all the certs there.  Which certs are used for the actual encryption in a phone call between two secured IP phones?  I've attached a screenshot as well of the certs in my CUCM.

Thanks!

2 Accepted Solutions

Accepted Solutions

The Locally Significant Certificate (LSC) or Manufacture Installed Certificate (MIC), however the LSC is recommended.  The LSC's are not on the call manager  under certificate management on the operating system (OS) Administration page.  The only cert that is used to pass the LSC to the phone is the CAPF to secure the channel to pass the LSC, and the phone get's it's CAPF cert from the CTL file.  If you're using MIC's on the phone then the CiscoManufacturingCA on the OS administration page is the root certificate for what the phones are using.

View solution in original post

You have to go to the CCMAdmin page, Device > Phone and find the phone you are interested in looking at the LSC for.  Change the section for CAPF Operation from "No Operation Pending" to "Install Upgrade" and click save.  Reset the phone after this and then the certificate should be in the trace location for CAPF.  Using RTMT you can do a collect files and then a remote browse for the Cisco Certificate Authority Proxy Function.  In that directory you'll see a file with the phone's MAC address that's the certificate you can view.

View solution in original post

4 Replies 4

cchagnon
Level 1
Level 1

Here is a good document which explains this. There is also a good checklist. This is the document of cucm 7.1.2, which it has not changed much in other versions. You will need to install a ctl client and run that with the usb keys you wil need to purchase, it will then install a certificate in which cucm uses.

http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/security/7_1_2/secugd/secuphne.html

basically the Cisco Unified Communications Manager installation creates a self-signed certificate on the Cisco Unified Communications Manager and TFTP server. You may also choose to use a third-party, CA-signed certificate for Cisco Unified Communications Manager instead of the self-signed certificate. After you configure authentication, Cisco Unified Communications Manager uses the certificate to authenticate with supported Cisco Unified IP Phones. After a certificate exists on the Cisco Unified Communications Manager and TFTP server, Cisco Unified Communications Manager does not reissue the certificates during each Cisco Unified Communications Manager upgrade. You must create a new CTL file with the new certificate entries.

Capf certs info is here

http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/security/7_1_2/secugd/secucapf.html#wpxref62370

thanks

The Locally Significant Certificate (LSC) or Manufacture Installed Certificate (MIC), however the LSC is recommended.  The LSC's are not on the call manager  under certificate management on the operating system (OS) Administration page.  The only cert that is used to pass the LSC to the phone is the CAPF to secure the channel to pass the LSC, and the phone get's it's CAPF cert from the CTL file.  If you're using MIC's on the phone then the CiscoManufacturingCA on the OS administration page is the root certificate for what the phones are using.

We are using LSC on our phones.  How can I get a copy of the LSC that the phones are using if I can't get it off of CUCM?

Thanks, Jeff

You have to go to the CCMAdmin page, Device > Phone and find the phone you are interested in looking at the LSC for.  Change the section for CAPF Operation from "No Operation Pending" to "Install Upgrade" and click save.  Reset the phone after this and then the certificate should be in the trace location for CAPF.  Using RTMT you can do a collect files and then a remote browse for the Cisco Certificate Authority Proxy Function.  In that directory you'll see a file with the phone's MAC address that's the certificate you can view.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: