Certificate Signing Request (CSR) for signed SSL Certificates for SPA Voice products

Alberto Montilla · ‎01-16-2009

Did you know?

-- Your provisioning server does not need to be connected to the Internet in order to use Cisco's certificate.

-- The only requirement is that the phones or SPA devices have network access to the provisioning server.

-- There is no need for the phones or provisioning server to have access to the Internet.

-- The Cisco SPA301 and SPA303 IP phones use a different CA to the Cisco SPA5xxG phones, and older Sipura, and Linksys devices.
Refer to https://supportforums.cisco.com/docs/DOC-23639 and https://supportforums.cisco.com/docs/DOC-12709

-- The SPA Phones and ATAs support mutual SSL authentication [SSLVerifyClient require] based on certificates signed by Cisco.

This document describes the certificate signing (CSR) process, what to do, where to run commands, and what information you must provide.
-----------------------------------------------------

You must generate a Certificate Signing Request (CSR) as part of the certificate signing process.

The CSR identifies and describes your organization.

Your web server needs a private key in order to generate a CSR. This document helps you create a private key on the web server in step A1.

This private key is private to you and your web server. Do not share it with anyone! Do not include your private key in your CSR email request in step B1.

When generating the CSR in step A2, you will be asked for a "CN" (Common Name, also sometimes called "your name" depending on the operating system on your web server) This name is used to uniquely identify the web server so the name must use fully qualified domain name (FQDN) syntax.

During the SSL authentication handshake, the SPA device will verify that the certificate it receives, is indeed from the machine who presents it, this can only be accomplished with a FQDN.

For example, if your server's hostname is proserv and your domain is domain.com, then provserv.domain.com is the fully qualified CN to submit.

Step A: Creating the CSR
------------
Use the opensource "openssl" utility to generate a private key in step 1 and then generate your CSR. Both steps 1 and 2 must be run on the web server.

1. Generate a private key which you will use to generate the certificate signing request

webserver# openssl genrsa -out <file.key> 2048

2. Generate the CSR using the private key that you just created.

webserver# openssl req -new -key <file.key> -out <file.csr>

IMPORTANT:
When prompted for an email address, you must provide a valid email address so Cisco can contact you if needed.

This email address will be visible in this CSR. Cisco will notprocess the CSR without a valid email address.

Step B: Preparing the Certificate to send to your sales representative
-----------
1. Compress the CSR with the zip utility to prevent email servers from truncating the CSR. [Do not include the web server's private key)

2. List the devices for which you require the certificate, for example: SPA3xx, SPA5xx, SPA9XX, WRPXXX, RTPXXX, WRTPXXX, and WAGXXX
[This tells Engineering what devices to include in the combinedca.crt certificate for client authentication]

3. Email the CSR and device list to your Cisco sales representative.

4. The Cisco sales rep forwards the CSR to ciscosb-certadmin@cisco.com

Note: A certificate will only be generated if a Cisco sales representative sends the CSR to the email alias.

5. Cisco signs the CSR and sends the certificate/s to the Cisco sales representative. The Cisco sales representative sends the certificate/s to you.

6. Install the certificate/s on your HTTPS server. This certificate is valid for two (2) years.

Following is an example for Apache's Linux httpd.conf file

...

# Server Certificate:

SSLCertificateFile .../etc/httpd/conf/...crt

# Server Private Key:

SSLCertificateKeyFile /etc/httpd/conf/...key

# Client authentication (Optional) Certificate Authority (CA)

SSLVerifyClient require

SSLCACertificatePath .../etc/httpd/conf/

SSLCACertificateFile /etc/httpd/conf/combinedca.crt

# If using SSLVerifyDepth Do not set it greater than 2, for example:

# <Location>

# SSLRequireSSL

# SSLVerifyDepth 2

# </Location>

...

<end>

Dan Lukes · ‎09-01-2014

As Apache 2.4 is starting to use 2048b DH keys by default, but some Cisco firmwares are so old to connect to such king of server, the server's DH configuration needs to be tuned accordingly.

Run 'openssl dhparam 1024' and add the output into 'SSLCertificateFile' file to limit SSL DH key size to 1024b

List of affected devices is not known, but PAP2T even with latest firmware and SPA[35]0x with pre-7.5.2b firmware are known to be affected.

Jerson Luiz de Paula Junior · ‎01-29-2015

I do not have sales representative and would like to make my key to provision my SPA3102 and PAPT2 to use SRTP with Opensisps. Could you help me?

kevingodwinplustel · ‎06-29-2015

Hi,

After spending several hours searching through various documents online and then eventually getting through to Cisco SMB Support, only to be told that they basically have no idea who I should email a Server Certificate request to, I am at the end of my tether.

Can anyone please tell me who I should be sending a Server Certificate request to so that we can begin provisioning SPA3xx and SPA5xx IP Phones from our own provisioning server?

We do not have a Cisco sales representative and therefore can only deal direct to get this sorted out.

Thanks for any help that anyone can give.

Dan Lukes · ‎11-25-2015

Beware of timeouts.

Apache 2.4 in default configuration waits 20-60 seconds for SSL hanshake to be completed only, then aborts the connection.

But SPA9xx require more than 90 seconds to complete the hanshake if mutual SSL authentication is enabled.

So adjust your server timeouts accordingly.

ws · ‎05-15-2019

Hi Alberto! Pls stop that silly requirement for a Cisco signed Certificate on the Server. This just leads to a lot of unsecured connections fetching configs with clear text passwords. Or if you insist, pls provide a easy way to get a signed Cert for operators that just let the customers buy their SPA on the market somewhere. All most people need is a HTTPS connection to server. The Rest of the internet can do that, too. br Walter

NEAireSpring2530 · ‎04-07-2020

When I now try to access Cisco Enablement Services to create a certificate, I get the following page error after logon:

The Page You Have Requested Is Not Available

The page you are trying to access may have been moved to a different location or removed. If you typed the address, please verify that the spelling is correct.

Returned page is: https://webapps.cisco.com/pa/oidc/cb?code=3sGixevuOwaC-syycdNycJsUquQzr9hYyAAAAABm&state=eyJ6aXAiOiJERUYiLCJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2Iiwia2lkIjoiY3MiLCJzdWZmaXgiOiJjaFhUc3IuMTU4NjI2NjYwOCJ9..vVnXmXbBGVuWESK-1cvLqA.t1_DZumZaZ3ejhofdHI_...

How is everybody else getting their certificates renewed?

Thanks,

roger.seelaender@airespring.com

NEAireSpring2530 · ‎05-06-2020

Thanks. With the help from the sales team we were able to find the new link to the tool: https://cloudsso.cisco.com/as/authorization.oauth2?response_type=code&client_id=wam_prod_ac&redirect_uri=https%3A%2F%2Fsoftware.cisco.com%2Fpa%2Foidc%2Fcb&state=eyJ6aXAiOiJERUYiLCJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2Iiwia2lkIjoiZ3kiLCJzdWZmaXgiO...
There appears to have been an email sent out to all users in September 2019, we never got it. Mark this issue as resolved.

Dan Lukes · ‎05-06-2020

The URL you posted can't be used - it's intermediate temporary URL used during login process. No one else can use it.

Hopefully in the mean time I identified valid URL of Cisco Enablement Services

The following document may help you to choose proper certificate authority: SPA Certificate Authority (CA) List.