cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
506
Views
0
Helpful
2
Replies
Highlighted
Beginner

TFTP Encrypted Configuration with SX10

Hello Cisco community,

 

I have a question regarding the encrypted configuration in conjunction with a secure sip profile. As soon as I tick the box for the encrypted TFTP file in the sip profile I get the following error "Failed: SSL connection rejected" in the GUI and in the logs:

 

status=failed reason=Invalid device configuration: Encrypted configuration required, but no valid certificate is available

 I successfully tested it after generating a LSC certificate for the phone. 

My question is, why it doesn't work out of the box with the MIC. (If it is installed on that product).

 

Any suggestions are appreciated.

2 REPLIES 2
Highlighted

Cisco intended the MIC to be used only to securely authenticate to CAPF and get a LSC. They specifically say not to use it for any other reason in the security guide:

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/12_0_1/secugd/cucm_b_cucm-security-guide-1201/cucm_b_cucm-security-guide-1201_chapter_011010.html#CUCM_RF_P406FBC9_00

 

In the case case of TFTP Encryption, the MIC isn’t eenrolled/stored on CUCM so it doesn’t know the public key to encrypt the file with as it does with a LSC. 

Highlighted

Dear Jonathan,

 

thank you for your answer. I am aware of the fact that the MIC-Certificate should only be used for initial authentication to request the LSC certificate. However I came accross that article: https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/118929-technote-cucm-00.html

There are several mentions about the use of MIC and I wanted to know, why it didn't work with the SX 10. Here are some excerpts:

 

Note: When you use this method for the first time, the phone compares the MD5 hash of the phone certificate in the configuration file to the MD5 hash of the Locally Significant Certificate (LSC) or the Manufacturing Installed Certificates (MIC).

 

After the CAPF communication is established, the phone sends information to the CAPF about the LSC or MIC that is used. The CAPF then extracts the phone public key from the LSC or MIC, generates a MD5 hash, and stores the values for the public key and certificate hash in the CUCM database.

 

Thank you in advance.