cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
352
Views
5
Helpful
6
Replies

Phone Certificate Trust

My client is using HTTPS to access the phones' web pages. The ability to get to the web page via HTTP has been disabled.

I can access the CUCM 14 server itself directly using a web browser without going through the "Advanced/Proceed" business when the browser does not trust the certificate presented. This means the Tomcat-trust is installed. However, when I access a phone's web page I do have to go through those extra steps.

Our cluster is CA-signed by the the organization's central CA. As I understand it, the phone certificates are signed by CUCM as a proxy via the CAPF function.

Which CUCM trust certificate would my browser need to have installed in order to have the browser automatically trust the certificates presented by the phones? Would it be the CAPF certificate? CAPF-trust? If it is the CAPF-Trust certificate, which one of the several Cisco has in the system would be correct? Or would it be some other certificate?

Thanks for your help!

Maren

 

1 Accepted Solution

Accepted Solutions

IP Phones use OAuth tokens instead of a client X.509 certificate (i.e., the MIC or LSC) when using OAuth for secure SIP registration. The only certificate involved in that scenario is the CCM+TFTP (or combined CCM+TFTP+Tomcat in CUCM 14+) server certificate. This is why OAuth only improves the secure registration use case and not 802.1x, EAP-TLS, or the phone's web server. The lack of an RSA/ECC key pair is also why SIP OAuth tokens cannot be used for TFTP file encryption: there isn't a public key for Cisco TFTP to encrypt the XML file with.

Take a look at the certificate presented by the phone in your browser. The dialog box that opens, which will vary by OS, will show the attributes - including which CA it was issued by and that CA certificate thumbprint. There are three possibilities:

  1. One of the Cisco manufacturing CAs - meaning the phone doesn't have an LSC and is still using its MIC. This isn't recommended but I have seen customers do it since they can just import the Cisco CAs into their NAC solution and go. If this is what you see, all of these CAs are also included in the CAPF-trust store of CUCM; you could save one as a PEM file and import it as a trusted root CA on your computer. Cisco warned us not to do this though.
  2. The CAPF certificate of the CUCM publisher. Same answer: save that as a PEM file and import as a trusted root CA.
  3. The enterprise CA(s) that signed the phone's CSR instead of CAPF itself. In this scenario there may be a chain of multiple CAs such as a root and subordinate issuing CA. You might be able to get away with only importing the root CA and your computer can figure it out - but you may also need to import the subordinate issuing CA(s) in order after the root. This is not unique or custom to CUCM though. Most organizations distribute these internal CA chains through other management agents (e.g. Group Policy, MDM, etc.) vs. doing it manually.

View solution in original post

6 Replies 6

Jonathan Schulenberg
Hall of Fame
Hall of Fame

By default (i.e., you didn't do extra work I'll describe in subsequent paragraphs), phones are not issued certificates by the CUCM cluster they are registered to. They come from the factory with a burned in, non-renewable, Manufacturer Installed Certificate (MIC) signed by Cisco that is valid for 10 years. Since the MIC is the only cert a phone has by default, that's what it offers when you access its web server. Without doing extra work, you would need to install the manufacturing CA(s) that the phones in your environment were issued certificates by as trusted root certificate authorities on your computer to avoid the warnings. The Security Guide has always advised customers to not trust the manufacturing CAs for TLS operations though, so this doesn't seem wise.

The sole intended use for a MIC is to serve as a trust anchor for enrolling in a Locally Significant Certificate (LSC) with CAPF on CUCM. Soft phones, which lack a MIC since Cisco didn't manufacture that hardware, instead use a numeric authorization string - that is supposed to be shared securely out of band - manually input by the user to get an LSC. CAPF is capable of being its own root certificate authority - although it's not great at that, hold that thought - or a proxy to another "real" certificate authority. Your computer would either trust the CAPF certificate on the publisher as a root CA or the external CA, depending on the approach you choose. The LSC is most commonly used for secure SIP/SCCP registration to CCM, 802.1x authentication to the NAC solution, and/or EAP-TLS WIFI network authentication for wireless IP Phone models. Phones will automatically use their LSC instead of the MIC for its web server as well. Note that SIP OAuth is a much better solution for secure registration than CAPF in CUCM 14+.

The MIC or authorization string trust anchor is how CUCM decides that the LSC enrollment request is from a legitimate endpoint instead of an attacker attempting to either maliciously register to CUCM or convince the NAC solution to permit access to the network. This is especially important because NAC must permit limited access to CUCM TFTP and CAPF pre-authentication in order for LSC enrollment to succeed.  There are at least two icebergs hiding in the proverbial water here though:

  1. MICs cannot be renewed, giving phones an effective 10 year lifespan. The administrator must manually trigger the renewal of LSCs individually or via BAT jobs (e.g., by Device Pool every N years). LSC renewal requires the phone to be registered to CUCM when the renewal operation commences as well, so anything that's offline gets left behind.
  2. CAPF isn't a fully functional CA. For example, it has no certificate revocation mechanism for LSCs once they are issued. An organization with rigorous IT security operations team is likely to consider that unacceptable. This is where the online/offline external CA comes in. You can either download the CSR the phone gave to CAPF with RTMT, manually sign it, and then upload the CA-signed cert to CUCM for the phone to retrieve or configure a northbound CA to have CAPF automatically forward the CSR and get a signed certificate from. The latter is far more practical IMO.

TL;DR- You're stuck with browser security warnings unless you have an IT security mandate to avoid them at significant operational effort (i.e. the LSC renewals) or to implement 802.1x certificates-based authentication.

That is a great overview of the process. My client uses encrypted communications on a secure cluster, so everything is CA-signed and they do use SIP OAuth for certificates. (Which I confused with CAPF because I'm old.)

Presuming we do use 802.1x certificate-based authentication, which I asked and we do, what would be the correct certificate to resolve the browser security warning problem?

Maren

Hello @Maren Mahoney 

SIP OAuth ? the OAuth certificate should be trusted and installed in your browser...

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

And exactly which certificate is that is the question. Would that be found in the CUCM Certificate Management? Or is that a certificate held by the organizational or intermediate CA? I know a lot of stuff, but this is not my area of expertise.

Maren

IP Phones use OAuth tokens instead of a client X.509 certificate (i.e., the MIC or LSC) when using OAuth for secure SIP registration. The only certificate involved in that scenario is the CCM+TFTP (or combined CCM+TFTP+Tomcat in CUCM 14+) server certificate. This is why OAuth only improves the secure registration use case and not 802.1x, EAP-TLS, or the phone's web server. The lack of an RSA/ECC key pair is also why SIP OAuth tokens cannot be used for TFTP file encryption: there isn't a public key for Cisco TFTP to encrypt the XML file with.

Take a look at the certificate presented by the phone in your browser. The dialog box that opens, which will vary by OS, will show the attributes - including which CA it was issued by and that CA certificate thumbprint. There are three possibilities:

  1. One of the Cisco manufacturing CAs - meaning the phone doesn't have an LSC and is still using its MIC. This isn't recommended but I have seen customers do it since they can just import the Cisco CAs into their NAC solution and go. If this is what you see, all of these CAs are also included in the CAPF-trust store of CUCM; you could save one as a PEM file and import it as a trusted root CA on your computer. Cisco warned us not to do this though.
  2. The CAPF certificate of the CUCM publisher. Same answer: save that as a PEM file and import as a trusted root CA.
  3. The enterprise CA(s) that signed the phone's CSR instead of CAPF itself. In this scenario there may be a chain of multiple CAs such as a root and subordinate issuing CA. You might be able to get away with only importing the root CA and your computer can figure it out - but you may also need to import the subordinate issuing CA(s) in order after the root. This is not unique or custom to CUCM though. Most organizations distribute these internal CA chains through other management agents (e.g. Group Policy, MDM, etc.) vs. doing it manually.

Looking at the cert presented by the phone was the key. (And once you said it I thought, "Duh".) Perfect suggestion. Thank you!

Maren