How Do I Load TLS/SRTP Certificates and Private Keys Onto Cisco SPA525G2?

alteredstate · ‎09-28-2017

Hello everyone,

I'm attempting to connect my SPA525G2 to Asterisk 13.12.1 (on FreePBX 13.0.192.18) via TLS as well as setup SRTP but I'm stumped on how to load the TLS/SRTP certificates/keys on the SPA525G2? Referring to the screenshot, it appears the only options on this phone are the "Mini Certificate:" and "SRTP Private Key:" fields, neither of which allow enough characters to accomodate copying and pasting certificates or keys. For example, on the SIP soft phone: CSipSimple you are allowed to add your CA file, Private Key file and Certificate file via a file path but this does not appear possible on the SPA525G2. I would really appreciate it if someone could steer me in the right direction so I could get these phones up and running.

Dan Lukes · ‎10-01-2017

You can't use X509 here. It's proprietary format.

User key is just base64 encoded 512bit RSA private key. Mini certificate is base64 of signed public key prepended by 60B header of various data.

Cisco have "genmc" application dedicated to create those structures. Call SMB Support and ask for it if you have valid support contract. Use Google otherwise - source code of generator has been published by someone about ten years ago ...

Related: Linksys SPA-922: SRTP and Certificate Setup

alteredstate · ‎10-04-2017

@Dan Lukes wrote:

You can't use X509 here. It's proprietary format.

User key is just base64 encoded 512bit RSA private key. Mini certificate is base64 of signed public key prepended by 60B header of various data.

Cisco have "genmc" application dedicated to create those structures. Call SMB Support and ask for it if you have valid support contract. Use Google otherwise - source code of generator has been published by someone about ten years ago ...

Related: Linksys SPA-922: SRTP and Certificate Setup

Thank you for the reply! I do not have a support contract but I believe I found the genmc application online. Looks like it only works on a Windows machine so when I get a free moment I'll create a virtual Windows machine, try it out and let you know my results. Thanks again!

alteredstate · ‎10-22-2017

@Dan Lukes wrote:

You can't use X509 here. It's proprietary format.

User key is just base64 encoded 512bit RSA private key. Mini certificate is base64 of signed public key prepended by 60B header of various data.

Cisco have "genmc" application dedicated to create those structures. Call SMB Support and ask for it if you have valid support contract. Use Google otherwise - source code of generator has been published by someone about ten years ago ...

Related: Linksys SPA-922: SRTP and Certificate Setup

I finally got around to setting up a Windows VM and trying out the "genmc" but I'm confused. I do not understand how I am suppose to combine my *.ca and *.pem files in order to generate a Mini Certificate and where does the SRTP Private Key come into play using the "genmc" command? Am I suppose to add all those files into a "Profile.txt" file somehow?

Dan Lukes · ‎10-22-2017

I never had access to Cisco's original genmc utility nor it's documentation.

But according the screenshot you provided and knowledge I gained so far - the utility you have can generate CA key (the "usage 1" scenario). Such key is embedded in no phone, it's used in step 2 only. Note, you shall use particular CA key for all users who will use sRTP together.

With CA key ready you can generate either txt or xml variant of provisioning file with CA-based minicert embedded. It's "usage 2" step. User keys are generated and will be embedded as "Mini Certificate" and "SRTP Private Key" configuration values in resulting profile file.

Try it.