Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
512
Views
0
Helpful
2
Replies

MIC LSC CTL confusion -2

Yan Tian
Level 1
Level 1

‎04-06-2015 03:27 AM - edited ‎03-17-2019 02:33 AM

Hi team,

I have reviewed tons of Security related docs both on cisco.com & supportforums.cisco.com. However, all docs are not comprehensive enough to clear my confusion. I even posted a thread here to seek help (MIC LSC CTL confusion), however, confusion still not completely cleared.

Q1: Using Cisco Unified Communications Manager (with USB Tokens)

Above URL states: "When downloading a new CTL file, the Cisco IP phone verifies the new CTL signature using the certificates in its CTL file. If no CTL file is present, then the new CTL is not trusted by the Cisco IP phone." then I am wondering how can CTL file be initially installed when there is not old CTL file on the IP Phones?

Q2: How (use existing MICs and sign it using CAPF private key?) and when (generated when phone requests LSC?) is the LSC generated for a specific phone? What exactly are contained in the LSC?

 

Q3: Phone download LSC through TFTP or TLS connection to CAPF process on TCP port 3804 ?

 

Q4: After Phone install LSC, MICs will not be useful anymore ?

 

Labels:
0 Helpful
2 Replies 2

George Thomas
Level 10
Level 10

‎04-06-2015 12:49 PM

A1: You can install the new certificates by changing settings under the"Certification Authority Proxy Function (CAPF) Information" section of each phone. Change the operation to "Install/Upgrade" and use one of the 3 options available. 

A2: LSC is generated for each and every phone in your system and is unique to that. 

A3: Correct.

A4: MICs will still remain but not used. If you factory reset the phone, the MIC will be present. 

Please rate useful posts.
0 Helpful

Yan Tian
Level 1
Level 1
In response to George Thomas

‎04-06-2015 08:00 PM

Hi George,

Thanks for your reply. However, I am not convinced by you reply.

Q1: the New CTL file are signed by the 2 USB token private key. If there is no old CTL file on phone, how can phone decide whether he should trust the USB token certificate in the new CTL file. Docs say Old CTL is required to decide whether phone should trust the certificates on the new CTL file. So, My query is when there is no old CTL file on phone, how can phone trust the new CTL file and thereby install it ?

Q2: I know that LSC is generated for each phone uniquely. But My query is how and when exactly they are generated? for example, use which info and signed by which private key  etc..

Q3: Are you saying that LSC is downloaded via TFTP ?

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents