I have reviewed tons of Security related docs both on cisco.com & supportforums.cisco.com. However, all docs are not comprehensive enough to clear my confusion. I even posted a thread here to seek help (MIC LSC CTL confusion), however, confusion still not completely cleared.
Above URL states: "When downloading a new CTL file, the Cisco IP phone verifies the new CTL signature using the certificates in its CTL file. If no CTL file is present, then the new CTL is not trusted by the Cisco IP phone." then I am wondering how can CTL file be initially installed when there is not old CTL file on the IP Phones?
Q2: How (use existing MICs and sign it using CAPF private key?) and when (generated when phone requests LSC?) is the LSC generated for a specific phone? What exactly are contained in the LSC?
Q3: Phone download LSC through TFTP or TLS connection to CAPF process on TCP port 3804 ?
Q4: After Phone install LSC, MICs will not be useful anymore ?
A1: You can install the new certificates by changing settings under the"Certification Authority Proxy Function (CAPF) Information" section of each phone. Change the operation to "Install/Upgrade" and use one of the 3 options available.
A2: LSC is generated for each and every phone in your system and is unique to that.
A4: MICs will still remain but not used. If you factory reset the phone, the MIC will be present.
Thanks for your reply. However, I am not convinced by you reply.
Q1: the New CTL file are signed by the 2 USB token private key. If there is no old CTL file on phone, how can phone decide whether he should trust the USB token certificate in the new CTL file. Docs say Old CTL is required to decide whether phone should trust the certificates on the new CTL file. So, My query is when there is no old CTL file on phone, how can phone trust the new CTL file and thereby install it ?
Q2: I know that LSC is generated for each phone uniquely. But My query is how and when exactly they are generated? for example, use which info and signed by which private key etc..
Q3: Are you saying that LSC is downloaded via TFTP ?