on 03-03-2020 08:25 AM
This document is attempt to recreate content of original document created by famous @Patrick Born. Cisco has considered to destroy such valuable document for an unknown reason.
Cisco SPA series phones and ATAs can use certificate-authenticated HTTPS (SSL) sessions to ensure secure provisioning. For a provisioning server to be acceptable to the SPA phone or ATA, the server must present a certificate signed by Cisco's Certificate Authority (CA).
Over the years, we have added certificate authorities (CA) as needed and for administrative reasons.
If your SPA1xx or SPA232D ATA or SPA5xx IP Phone is running current or newer firmware, 1.3.3 or 7.5.6 respectively, use the newer "Cisco 2k Small Business CA" even though you could use any of the older CAs.
A HTTPS server used for device provisioning must use a certificate signed by the appropriate CA for the device.
To obtain this certificate, you must submit a certificate signing request (CSR) by following the CSR instructions.
When submitting the CSR, you must list the device types that you want to provision so we know what certificates to generate for you.
Following is a list to help you identify the appropriate CA associated with your device:
Note:
A HTTPS server can only present a single certificate per IP address:port
To securely provision devices associated with multiple CAs, you will need to implement multiple HTTPS services. You can use any one or a combination of the following options:
Example:
Example:
<end of original document>
<Start of note from @Dan Lukes >
Informations in such documents seems to be either obsolete or invalid from scratch. Most devices accept more than one CA, so multiple HTTPS server as suggested by document may be overkill in some cases. But I will leave original document above, because I can't test all types and firmware versions.
See table bellow for real cross-compatibility list. It is based on real test of mentioned devices.
Device \ CA | Linksys CA | Sipura CA | Cisco SB CA | Verisign |
PAP2T, 5.1.6(LS) | OK | OK | ||
SPA112, 1.3.1(003) | OK | OK | OK | |
SPA232D, 1.3.1(003_240) | OK | OK | OK | |
SPA-962, 6.1.5(a) | OK | OK | ? | |
SPA508G, 7.5.4 | OK | OK | OK | |
SPA525G2, 7.5.4 | OK | OK | OK | ? |
Note:
Linksys CA:
/C=US/ST=California/L=Irvine/O=Cisco Linksys, LLC./OU=Cisco Linksys Certificate Authority/CN=Cisco Linksys Provisioning Root Authority 1/emailAddress=linksys-certadmin@cisco.com
Serial: D0:7D:8A:7B:AD:BA:7C:B6:44:69:98:B1:EA:89:87:9F
Sipura CA:
/C=US/ST=California/L=San Jose/O=Sipura Technology, Inc./OU=Sipura Technology Certificate Authority/CN=Sipura Technology Provisioning Root Authority 1/emailAddress=webmaster@sipura.com
Serial: 45:BF:48:C0:CE:B8:8F:7B:C8:E1:6D:85:62:5A:5B:8F
CiscoSB CA:
/C=US/ST=California/L=San Jose/O=Cisco Small Business/OU=Cisco Small Business Certificate Authority/CN=Cisco Small Business Provisioning Root Authority 1/emailAddress=ciscosb-certadmin@cisco.com
Serial: D0:7D:8C:15:C0:BA:7C:B6:44:69:98:B1:EA:89:87:9F
Verisign CA (based on informations in SPA5xx IP Phone 7.x Firmware Update Information):
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
Serial: 70:BA:E4:1D:10:D9:29:34:B6:38:CA:7B:03:CC:BA:BF
or
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c) 05/CN=VeriSign Class 3 Secure Server CA
Serial: 75:33:7D:9A:B0:E1:23:3B:AE:2D:7D:E4:46:91:62:D4
Note: according Verisign (now Symantec) tech support, VeriSign Class 3 Secure Server CA based certificates are no longer issued. Class 3 Public Primary Certification Authority rooted certificates are sold under product name "Secure Site" and "Secure Site Pro".
Nice doc, thanks for sharing!
Note the Cisco no longer signs requests by Linksys CA authority.
Sipura CA and CiscoSB CA will stop signing new request from December 1st, 2022.
There's new authority available
/C=US/ST=California/L=San Jose/O=Cisco Small Business/OU=Cisco Small Business Certificate Authority/CN=Cisco Small Business Provisioning Root Authority 2/emailAddress=ciscosb-certadmin@cisco.com
recognized by
Hi @Dan Lukes ,
many thanks for your update. Since December 1st, 2022 my SPA122 stop working but the newest FW is installed. Did you know if there is something to change in config. or anything else to do? Or my provider has problem with new cert.?
many thanks
best
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: