05-26-2015 07:24 AM - edited 03-21-2019 10:25 AM
Hello!
We have some difficulties with SPA8000 provisioning over https. Ordinary http provisioning is working fine, but due to security measures we have decided to use https. SPA 8000 just reject our server's certificate. Here is a bit of openssl log file:
[error] mod_ssl: SSL handshake failed (server server_ip:443, client client_ip) (OpenSSL library error follows)
[error] OpenSSL: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
I suppose, this server certificate should be signed by Cisco, or our sertificate should be added to the SPA 8000 device as trusted. Can you please clarify this issue.
05-26-2015 08:51 AM
SPA 8000 just reject our server's certificate
Unless the particular server's certificate is issued by trusted CA it needs to be rejected. SSL is here to prevent an attacker to be recognized as valid provisioning server. It will not work if any certificate will be considered valid.
I suppose, this server certificate should be signed by Cisco, or our certificate should be added to the SPA 8000 device as trusted.
If you wish for zero-touch provisioning, the certificate signed by Cisco needs to be used. Otherwise, either approach will solve your issue.
So either follow SPA Certificate Authority (CA) List or import certificate of your own CA into device in question.
05-27-2015 01:29 AM
Thank you for your response!
Let me get it straight - our server's certificate is issued by the Comodo CA, so provisioning should work, and it hasn't to be issued only by Cisco?
05-27-2015 09:00 AM
In such case it should be enough to import root certificate authority to every phone to provisioning become work.
05-27-2015 09:59 AM
How can I do that with Cisco SPA 8000 8-port voice gateway? I've been looking throughout Cisco Admin Guide for this device, and certificate importing was never mentioned. Can you give some guidance or where I should look for the information about how to import certificate to this device.
05-27-2015 10:37 AM
Hm, I have no SPA8000 here. Such feature has been implemented for both SPA[35]xx as well as SPA[12]xx product line about 3 years ago. So I assumed it has been implemented for SPA8000 as well.
OK. Assuming you are running latest firmware version - search for "Custom CA RULE" and "Custom CA URL" option. If it is not here, then such feature has not been implemented on SPA8000. In such case the Cisco issued certificate is the only option for you.
05-29-2015 04:16 AM
Thanks, man!
It seems SPA 8000 don't have this option, even with the latest firmware.
Anyway, thanks, beer on me, if you ever gonna visit Moscow :)
05-29-2015 09:05 AM
I visited Moscow about 30 years ago. Not sure I will return in near time ;-)
Use Cisco issued certificate. The most complicated part is to find sales representative. Call SMB support for help if you will not found one.
05-27-2015 02:11 PM
the process for uploading certs to the ATA is in the provisioning guide. Chapter 4 pg 77 Certificates described on p 80
https://supportforums.cisco.com/docs/DOC-9894
to request the cisco cert, the process is here
https://supportforums.cisco.com/document/36871/certificate-signing-request-csr-signed-ssl-certificates-spa-voice-products
Basically, ou have to create the Certificate signing request and send it, and a list of device types you are provisioning, to your distributor/reseller.
they will forward it to Cisco who will send the cert.
** or **
you could use the SPA Profile Compiler (SPC) to encrypt / Hash (AES or rc4) your configuration files so they are encrypted, but still send them over HTTPS. This will encrypt the files to prevent man in the middle snooping. What you do not get is authentication. ( Is the client downloading the file yours, and is the server providing the file to the ATA yours. )
SPC tool for the 8000 here.
http://www.cisco.com/c/en/us/support/unified-communications/spa8000-8-port-ip-telephony-gateway/model.html#~tab-downloads
Info about the SPC tool is in the provisioning guide linked above p. 51
Hope this helps, Flag it if it does
Dan
05-27-2015 02:33 PM
May be I missed something, but in ...
The SPA30x and SPA5xx IP Phone, and PAP2T, SPA2102, SPA3102, SPA8x00 and WRP400 ATA Provisioning Guide: http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/csbpvga/ata/provisioning/guide/Provisioning.pdf
... provisioning guide I see no word describing how to import of own CA certificate into device.
05-29-2015 06:00 AM
I think the SPA 8000 series is suffering from lack of attention. It's firmware was updated in July 2013, so no wonder that certificates importing feature is missing.
Oh, and thank you for the SPC hint, we'll try this if there will be problems with finding sales representative in Russia. Few of our suppliers were puzzled by our request for cert.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide