Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1180
Views
0
Helpful
2
Replies

TFTP Encrypted Configuration with SX10

tschafferx
Level 1
Level 1

‎02-06-2019 01:00 AM - edited ‎03-18-2019 02:38 PM

Hello Cisco community,

 

I have a question regarding the encrypted configuration in conjunction with a secure sip profile. As soon as I tick the box for the encrypted TFTP file in the sip profile I get the following error "Failed: SSL connection rejected" in the GUI and in the logs:

 

status=failed reason=Invalid device configuration: Encrypted configuration required, but no valid certificate is available

 I successfully tested it after generating a LSC certificate for the phone. 

My question is, why it doesn't work out of the box with the MIC. (If it is installed on that product).

 

Any suggestions are appreciated.

Labels:
0 Helpful
2 Replies 2

Jonathan Schulenberg
Hall of Fame
Hall of Fame

‎02-10-2019 09:23 AM

Cisco intended the MIC to be used only to securely authenticate to CAPF and get a LSC. They specifically say not to use it for any other reason in the security guide:

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/12_0_1/secugd/cucm_b_cucm-security-guide-1201/cucm_b_cucm-security-guide-1201_chapter_011010.html#CUCM_RF_P406FBC9_00

 

In the case case of TFTP Encryption, the MIC isn’t eenrolled/stored on CUCM so it doesn’t know the public key to encrypt the file with as it does with a LSC. 

0 Helpful

tschafferx
Level 1
Level 1
In response to Jonathan Schulenberg

‎02-10-2019 11:27 PM

Dear Jonathan,

 

thank you for your answer. I am aware of the fact that the MIC-Certificate should only be used for initial authentication to request the LSC certificate. However I came accross that article: https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/118929-technote-cucm-00.html

There are several mentions about the use of MIC and I wanted to know, why it didn't work with the SX 10. Here are some excerpts:

 

Note: When you use this method for the first time, the phone compares the MD5 hash of the phone certificate in the configuration file to the MD5 hash of the Locally Significant Certificate (LSC) or the Manufacturing Installed Certificates (MIC).

 

After the CAPF communication is established, the phone sends information to the CAPF about the LSC or MIC that is used. The CAPF then extracts the phone public key from the LSC or MIC, generates a MD5 hash, and stores the values for the public key and certificate hash in the CUCM database.

 

Thank you in advance.

0 Helpful
Customers Also Viewed These Support Documents