cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6028
Views
10
Helpful
3
Comments
Dan Lukes
VIP Alumni
VIP Alumni

This document is attempt to recreate content of original document created by famous @Patrick Born. Cisco has considered to destroy such valuable document for an unknown reason.


Cisco SPA series phones and ATAs can use certificate-authenticated HTTPS (SSL) sessions to ensure secure provisioning. For a provisioning server to be acceptable to the SPA phone or ATA, the server must present a certificate signed by Cisco's Certificate Authority (CA).

 

Over the years, we have added certificate authorities (CA) as needed and for administrative reasons.

 

If your SPA1xx or SPA232D ATA or SPA5xx IP Phone is running current or newer firmware, 1.3.3 or 7.5.6 respectively, use the newer "Cisco 2k Small Business CA" even though you could use any of the older CAs.

 

A HTTPS server used for device provisioning must use a certificate signed by the appropriate CA for the device.

To obtain this certificate, you must submit a certificate signing request (CSR) by following the CSR instructions.

When submitting the CSR, you must list the device types that you want to provision so we know what certificates to generate for you.

Following is a list to help you identify the appropriate CA associated with your device:

  • Cisco 2k Small Business CA:
    • SPA1xx firmware 1.3.3 and newer
      (SPA112 and SPA122)
    • SPA232D firmware 1.3.3 and newer
    • SPA5xx firmware 7.5.6 and newer
      (SPA501G, SPA502G, SPA504G, SPA508G, SPA509G, SPA512G, SPA514G, SPA525G, and SPA525G2)
  • Cisco Small Business (SB) CA:
    • SPA1xx (SPA112 and SPA122)
    • SPA232D
    • SPA3xx (SPA301 and SPA303)
    • SPA5xx (SPA501G, SPA502G, SPA504G, SPA508G, SPA509G, SPA512G, SPA514G, SPA525G, and SPA525G2)
    • SRP5xx (SRP521 and SRP541)
  • Linksys CA:
    • PAP2
    • WRTP
    • RTP
  • Sipura CA:
    • PAP2T
    • WRP400
    • SPA2xxx (SPA2000 and SPA2102)
    • SPA3xxx (SPA3000 and SPA3102
    • SPA9xx (SPA901, SPA921, SPA922, SPA941, SPA942, SPA962)
    • SPA3xx (SPA301 and SPA303)
    • SPA5xx (SPA501G, SPA502G, SPA504G, SPA508G, SPA509G, SPA512G, SPA504G, SPA525G, and SPA525G2)

Note:

A HTTPS server can only present a single certificate per IP address:port

To securely provision devices associated with multiple CAs, you will need to implement multiple HTTPS services. You can use any one or a combination of the following options:

  • Deploy multiple computers with one network interface card (NIC) per computer, each performing the role of a CA

Example:

  • https://computerA:443/spa$MA.cfg
  • https://computerB:443/spa$MA.cfg

 

  • Deploy a single computer with multiple NICs where each NIC has a unique IP address where each IP address performs the role of a unique CA

Example:

  • https://computerAnic1:443/spa$MA.cfg
  • https://computerAnic2:443/spa$MA.cfg

 

  • Deploy a single computer with a single NIC where unique ports are used and each unique port is associated with a unique CA
  • https://computerA:443/spa$MA.cfg
  • https://computerA:3443/spa$MA.cfg


<end of original document>


<Start of note from @Dan Lukes >

Informations in such documents seems to be either obsolete or invalid from  scratch. Most devices accept more than one CA, so multiple HTTPS  server as suggested by document may be overkill in some cases. But I will leave original document above, because I can't test all types and firmware versions.

 

See table bellow for real cross-compatibility list. It is based on real test of mentioned devices.

 


Device \ CALinksys CASipura CACisco SB CAVerisign
PAP2T, 5.1.6(LS)OKOKNONO
SPA112, 1.3.1(003)OKOKOKNO
SPA232D, 1.3.1(003_240)OKOKOKNO
SPA-962, 6.1.5(a)OKOKNO?
SPA508G, 7.5.4OKOKOKNO
SPA525G2, 7.5.4OKOKOK?

 

Note:

Linksys CA:

/C=US/ST=California/L=Irvine/O=Cisco Linksys, LLC./OU=Cisco Linksys Certificate Authority/CN=Cisco Linksys Provisioning Root Authority 1/emailAddress=linksys-certadmin@cisco.com

Serial: D0:7D:8A:7B:AD:BA:7C:B6:44:69:98:B1:EA:89:87:9F

 

Sipura CA:

/C=US/ST=California/L=San Jose/O=Sipura Technology, Inc./OU=Sipura Technology Certificate Authority/CN=Sipura Technology Provisioning Root Authority 1/emailAddress=webmaster@sipura.com

Serial: 45:BF:48:C0:CE:B8:8F:7B:C8:E1:6D:85:62:5A:5B:8F

 

CiscoSB CA:

/C=US/ST=California/L=San Jose/O=Cisco Small Business/OU=Cisco Small Business Certificate Authority/CN=Cisco Small Business Provisioning Root Authority 1/emailAddress=ciscosb-certadmin@cisco.com

Serial: D0:7D:8C:15:C0:BA:7C:B6:44:69:98:B1:EA:89:87:9F

 

Verisign CA (based on informations in SPA5xx IP Phone 7.x Firmware Update Information):

/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority

Serial: 70:BA:E4:1D:10:D9:29:34:B6:38:CA:7B:03:CC:BA:BF

or

/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c) 05/CN=VeriSign Class 3 Secure Server CA

Serial: 75:33:7D:9A:B0:E1:23:3B:AE:2D:7D:E4:46:91:62:D4

 

Note: according Verisign (now Symantec) tech support, VeriSign Class 3 Secure Server CA based certificates are no longer issued. Class 3 Public Primary Certification Authority rooted certificates are sold under product name "Secure Site" and "Secure Site Pro".

 

Comments
Martin L
VIP
VIP

 

Nice doc, thanks for sharing!

Dan Lukes
VIP Alumni
VIP Alumni

Note the Cisco no longer signs requests by Linksys CA authority.

Sipura CA and CiscoSB CA will stop signing new request from December 1st, 2022.

There's new authority available 
/C=US/ST=California/L=San Jose/O=Cisco Small Business/OU=Cisco Small Business Certificate Authority/CN=Cisco Small Business Provisioning Root Authority 2/emailAddress=ciscosb-certadmin@cisco.com

recognized by

  • SPA1xx/SPA232D firmware 1.3.3 and never
  • SPA5xx firmware 7.5.6 and never
  • CP-[678]8xx-3PCC
  • ATA19X

 

Sascha Richter
Level 1
Level 1

Hi @Dan Lukes ,

many thanks for your update. Since December 1st, 2022 my SPA122 stop working but the newest FW is installed. Did you know if there is something to change in config. or anything else to do? Or my provider has problem with new cert.?

many thanks

best

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: