cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
15613
Views
25
Helpful
14
Replies

ITL,CTL and Certificate

JustForVoice_2
Level 4
Level 4

Hello,

Can you help me by describing in a simple words the difference between:

ITL files

CTL

Certficates

Regards,

14 Replies 14

Jitender Bhandari
Cisco Employee
Cisco Employee

Hi,

ITL -> ITL (Initial Trust List) is basically authentication mechanism.

CTL -> is your encryption Signaling and media

See below.

https://supportforums.cisco.com/document/60716/migrating-ip-phones-between-clusters-cucm-8-and-itl-files

https://supportforums.cisco.com/document/30501/cucm-uploading-ccmadmin-web-gui-certificates

https://supportforums.cisco.com/document/91906/high-level-view-certificates-cucm#Self-Signed_Certificates_vs_3rd_Party_Certificate_Authorities

https://supportforums.cisco.com/document/68701/communications-manager-security-default-and-itl-operation-and-troubleshooting

(Rate if it helps)

JB

thank you for your support,

what is the difference between CTL and Certificates?

As per my knowledge, in SSL connection certificates are required in order to create an encrypted connection. where certificate contains the public key.

CTL it has key also. Am I right?

Hi

CTL required certificate that's correct, but there is no such difference.

Yes but you can have 

CUCM Mixed Mode with Token that needs to be requested from cisco

OR

CUCM Mixed Mode with Tokenless CTL

http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/118893-technote-cucm-00.html

(Rate if it helps)

JB

In case I used Mixed mode (tokenless), do I need to use certificates? Is there any role for the certificate in this case?

I believe CUCM will create the CTL and distribute it to the phones.

Hi,

So if i understand you correctly you don't have to install \ upload any certificate, once you switch to Tokenless Mixed-mode with CLI command "utils ctl set-cluster mixed-mode" the CTL file is signed with the CCM+TFTP (server) certificate of the Publisher node, and there are no eToken certificates present in the CTL file. And is then requested by phones when they reboot.

Let me know if this answers your question.

(Rate if it helps)

JB

Thank you for your support.

I think you answered my question. Just to make sure, I want to know if I need any third party certificate or third party system (like Microsoft CA) to enable encryption in my Cisco environment.

As per my understanding, CUCM creates, distribute CTL and no need to buy certificates or to use MS CA.

Am I right?

Hi,

you are right no addition CA \ 3rd party certificate required for tokenless CTL, just your CUCM version should be 10.0(1) or later.

Don't forget to mark the post as answered if you don't have further question

Happy to help

JB

Still I have :)

Regarding video endpoints like MX and DX, Do they use CTL?

In other words, do I need to use 3rd party certificate of CA to enable encryption in video calls?

yes they do use the CTL file.

it will download the CTL file from the CUCM only.

It depends whether your call manager is using the 3rd party CA or not.

Thank you Jitender and Prasad for your support.

In general what is the relation between CTL and Certificates?

Hi,

Can you elaborate on your query.

Are you looking for how CTL files are signed when we enable mixed-mode?

JB

As per the previous posts:

"3rd party certificate or CA assigned certificates are not mandatory for this process, you can optionally have it if required."

"It depends whether your call manager is using the 3rd party CA or not."

While the phones and video endpoints do not need certificates for encryption, what is the deference between using certificates:

  • CA signed
  • 3rd party certificates

Hi

Both self-signed and CA signed certificates provide encryption for data in motion. A CA-signed certificate also provides authentication - a level of assurance that the site is what it reports to be, and not an impostor website. 

The primary operational difference between a self-signed certificate and a CA certificate is that with self-signed, a browser will generally give some type of error, warning that the certificate is not issued by a CA. 

Read below

https://support.kemptechnologies.com/hc/en-us/articles/202138325-Difference-between-a-self-signed-certificate-and-a-CA-signed-certificate

Some Cisco specific videos explaining certificates

https://www.youtube.com/watch?v=RkSoHQt5Oyo

https://www.youtube.com/watch?v=FIqh3rSIUmA

(Rate if it helps)

JB

Hi,

Both DX and MX point support CTL, no issues there.

3rd party certificate or CA assigned certificates are not mandatory for this process, you can optionally have it if required.

(Rate if it helps)

JB

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: