Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1210
Views
0
Helpful
8
Replies

Digital Certificates on IP Phones

Grayson Wells
Level 1
Level 1

‎03-30-2011 12:09 PM - edited ‎03-16-2019 04:15 AM

The cisco documentations shows how to setup the CUCM to generate LSC's for the phones and distribute them. I assume that I can then export the root certificate from the CUCM and import it into my radius server to allow the radius server to authenticate the phones. My question then becomes this... How can I get certificates from my local certificate authority on the phone? Can the CUCM act as a true certificate authority PROXY? Instead of just generating the certificate on the CUCM can it generate a request on behalf of a phone and just ask our CA for a certificate?

Labels:
0 Helpful
8 Replies 8

Jonathan Schulenberg
Hall of Fame
Hall of Fame

‎04-01-2011 02:18 PM

CAPF stands for Certificate Authority Proxy Function. The CAPF service generates LSCs for the phones and acts as a Certificate Authority. It is even supported to issue a subordinate CA role certificate to the CAPF service which would provide an intact certificate chain all the way down to the phone.

The only way you can get the phone's public key is to access the web interface of the phone; however, this should not be necessary. You can give the CAPF certificate (auto-generated or enterprise PKI sourced) to your AAA server.

PS- The CAPF-trust store includes the public keys for all of the MICs as well. There is a supported design where you can authenticate the phone using the MIC first and provide a dynamic ACL to allow it on the network only for CAPF enrollement. Once the phone has a LSC it can authenticate with that and get normal network access.

0 Helpful

Grayson Wells
Level 1
Level 1
In response to Jonathan Schulenberg

‎04-01-2011 02:26 PM

When you say "It is even supported to issue a subordinate CA role certificate to the CAPF service which would provide an intact certificate chain all the way down to the phone", does that mean the CAPF service of the CUCM can act as a subordinate to our domain CA and issue certificates to the phone based on our CA?

0 Helpful

Jonathan Schulenberg
Hall of Fame
Hall of Fame
In response to Grayson Wells

‎04-01-2011 03:12 PM

Yes. You would do a CSR for the CAPF service and assign it a subordinate CA certificate template when issuing the cert. CAPF would perform exactly the same; however, now the certificate it's using to issue LSCs to the phone is signed by your root CA.

This is something you should prove out in a lab first. It took me a while - and several failed attempts - to get this working correctly.

Also don't forget that changing the CAPF cert on an existing cluster has several implications. Namely you need to ensure the old cert remains in the CAPF and CCM trust stores if phones were issued certificates and that the CTL is updated to include the new cert.

0 Helpful

Steven Griffin
Level 4
Level 4
In response to Jonathan Schulenberg

‎04-01-2011 04:04 PM

Johnathan,

In your lab, when you signed the CSR (Certificate Signing Request) for the CAPF (Certificate Authority Proxy Function) service using the third-party CA had you already signed the CTL (Certificate Trust List) file using the KEY-CCM-ADMIN-K9 tokens or did you just leverage the Cisco MIC (Manufacturers Installed Certificate)?

-Steven

Please help us make the communities better. Rate helpful posts!
0 Helpful

Jonathan Schulenberg
Hall of Fame
Hall of Fame
In response to Steven Griffin

‎04-01-2011 04:06 PM

I had not yet run the CTLclient to sign and upload the TVL file. That was done after I had all of the certificates properly installed. If you already have your cluster deployed in mixed mode you would need to update the TVL file using the CTLclient to include the new CAPF server certificate.

0 Helpful

Grayson Wells
Level 1
Level 1
In response to Jonathan Schulenberg

‎04-04-2011 11:09 AM

I am beginning to think that I need to get much more spun up on this part of the CUCM configuration before I do this. We do have a cluster I can use for testing, but I am not really following what you guys are saying. I don't see where to create a template for generating a certificate request and sending it to the CA. I don't even see where to configure the CUCM to talk to a CA.

0 Helpful

Steven Griffin
Level 4
Level 4
In response to Grayson Wells

‎04-04-2011 11:53 AM

Robert,

The certificate work is all done under the OS Administration site. I would support your assertion and suggest you definitely get comfortable with it in a lab environment before deploying to production.

You can find more information about the certificates and the security of CUCM in the following manuals:

OS Admin Guide: http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/cucos/8_5_1/cucos/osg_851_cm.html

Security Guide: http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/security/8_5_1/secugd/sec-851-cm.htmlhttp://www.cisco.com/en/US/partner/docs/voice_ip_comm/cucm/security/8_5_1/secugd/sec-851-cm.html

-Steven

Please help us make the communities better. Rate helpful posts!
0 Helpful

Grayson Wells
Level 1
Level 1
In response to Steven Griffin

‎04-04-2011 11:56 AM

I haven't read everything in the security guide, but I have read the OS Admin guide and it really just seems to skip over things. It seems like a bare bones guide that doesn't actually explain the system. I will look through the security guide more though.

0 Helpful
Customers Also Viewed These Support Documents