03-09-2016 05:39 AM - edited 03-21-2019 08:53 AM
Hi - I sent emails to Cisco last year trying to find out how I go about getting an SMB Cisco rep to submit a CSR for me. I submitted my question to ciscosb-certadmin@cisco.com in September 2015 and got a response from 'Joe <jvallada@cisco.com>' a month later asking if anyone had helped me. I responded back in Sep that no one had contacted me. I attempted to email him again today only to find his email address bounces and it looks as though he no longer works for Cisco.
I am not a high volume purchaser and purchase SPA phones from a local reseller. How do I find a Cisco SMB rep to submit a CSR for me ?
These are small business devices. Why is it so hard for small business to securely provision these devices ? The thing I find amazing is that end user admins we can't upload our own CA root certs to support internal CA's - these are small business devices NOT enterprise phones.
03-11-2016 03:50 AM
Well, it's one of most secrets information. You are not the first man asking it here. It seems No one know how to identify appropriate Cisco sales representative. Moreover - such representative may not exist for particular area at all (as in my case).
Call SMB support center for help.
03-11-2016 03:50 AM
Cisco now have a self service portal for users to upload the CSR and issue their own certs. Worked for me today.
03-11-2016 02:48 PM
So it's open to public now ? Glad to hear. It's new to me.
I has been approved to ask certificate directly, with no Cisco sales representative influence few years ago. So I assumed my access to such portal is based on it and casual user have no access.
03-12-2016 04:34 AM
It would have been far easier for Cisco to just allow us to upload (via initial provisioning) own own internal CA root certs and then customers could have issue their own certs.
03-12-2016 06:24 AM
It seems you missed it is possible.
You need not to use https for provisioning - so you can fetch so called 'initial configuration' over http.
Moreover, such configuration can be encrypted for the particular phone, so if fetched by an rogue user or inappropriate phone, it will not be readable for them.
But it is not as secure as configuration encrypted and signed by SSL. Thus skilled rogue user will be able to arrange MITM attack against your phone network.
In short, the feature you wish for is here for long time.
03-12-2016 06:26 AM
I understand I can encrypt the xml files and I also know I can retrieve them via http only.
However, I wish to retrieve xml configs over https connections only.
03-12-2016 07:34 AM
For SSL you need certificate recognized to be trusted. So how you wish the initial SSL provisioning will be done ?
03-12-2016 07:47 AM
Easy, the server cert I have has been issued by the Cisco CA. However, I dont know if 7.3.7 firmware has the appropriate root certs in order to trust my server cert.
03-12-2016 09:39 AM
OK. I has been confused by following sentence:
It would have been far easier for Cisco to just allow us to upload (via initial provisioning) own own internal CA root certs and then customers could have issue their own certs.
Own CA can't be used for initial provisioning. But once you have certificate suitable for initial provisioning, you need no own CA for casual provisioning ...
But back to the most current topic.
For the purpose of this thread, Cisco use four difference certificate authorities to issue certificates to user. Three of them are recognized trusted by latest SPA50x firmware. It's up to you to ask certificate signed by particular CA according yours wishes.
The Cisco 2k Small Business CA based certificate you have is supported from firmware 7.5.6 onward. So it will not work with 7.3.7 firmware. Sipura CA signed certificate will work on 7.3.7 as well as on latest firmware. I'm unsure about Cisco Small Business (SB) CA based certificate - it may or may not work with 7.3.7 - I'm unsure about the oldest firmware version that recognize it. Just try it.
But cave - * downgrade warning *.
If you consider downgrade fully configured phone with so new firmware to so old firmware, it may be bricked with no way to recover (be sure I know it). There's no official guide for safe downgrade. To decrease risk ...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide