Trusted Root Stores - Voip Devices - Certificates - PKI

Tritium11 · ‎04-28-2021

Hi Everyone,

I had a question about what certificates or trust stores to use. I am not well versed in certificates so I am hoping someone here can clarify things or point me to some documentation.

We use Cisco's VOIP phones and ATA's that use the multiplatform firmware. I found the PKI site that has a lot of different certificates and it looks like the Trust Stores are bundles of certificates. Listed here: https://www.cisco.com/security/pki/

Is there any documentation as to which certs or cert bundles encompasses cisco's voip products. I have an ATA191 that we found needs the Cisco Manufacturing CA (cmca2) cert and the Cisco Root CA M2 (crcam2) cert to be loaded in the browser. But I do not know if this is ideal or will be valid for other hardware.

I see that there are 3 different trusted root stores. Core, Union and External but I do not know what this means. If anyone can clarify that would be great.

Geovani · ‎04-29-2021

Hi there,

Please download the Client Root Certificates bundle from CDA https://software.cisco.com/software/cda/home

Tritium11 · ‎04-29-2021

Hi Geovani,

Thank you for that link. I registered as certificate manager and downloaded the Combined Client root certificate for SPA phones, ATAs and CP-78xxx-3PCC/CP-88xx-3pcc phone.

I removed the Cisco Manufacturing CA (cmca2) cert and the Cisco Root CA M2 (crcam2) certs and installed the Combined Client root certificate.

Then tried to hit the webpage of a Cisco ATA 19X and it didn't work. What am I missing?

Geovani · ‎04-30-2021

Hi,

What are you trying to achieve? Sign the ATA client certificate? So when you log in using HTTPS you wont get a cert trust error?

If thats the case, then it won't work. The ATA or any other MPP devices do not support that yet.

Thanks

Geovani