SPA 8000 https provisioning

skorolev1 · ‎05-26-2015

Hello!

We have some difficulties with SPA8000 provisioning over https. Ordinary http provisioning is working fine, but due to security measures we have decided to use https. SPA 8000 just reject our server's certificate. Here is a bit of openssl log file:

[error] mod_ssl: SSL handshake failed (server server_ip:443, client client_ip) (OpenSSL library error follows)
[error] OpenSSL: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca

I suppose, this server certificate should be signed by Cisco, or our sertificate should be added to the SPA 8000 device as trusted. Can you please clarify this issue.

Dan Lukes · ‎05-26-2015

SPA 8000 just reject our server's certificate

Unless the particular server's certificate is issued by trusted CA it needs to be rejected. SSL is here to prevent an attacker to be recognized as valid provisioning server. It will not work if any certificate will be considered valid.

I suppose, this server certificate should be signed by Cisco, or our certificate should be added to the SPA 8000 device as trusted.

If you wish for zero-touch provisioning, the certificate signed by Cisco needs to be used. Otherwise, either approach will solve your issue.

So either follow SPA Certificate Authority (CA) List or import certificate of your own CA into device in question.

skorolev1 · ‎05-27-2015

Thank you for your response!

Let me get it straight - our server's certificate is issued by the Comodo CA, so provisioning should work, and it hasn't to be issued only by Cisco?

Dan Lukes · ‎05-27-2015

In such case it should be enough to import root certificate authority to every phone to provisioning become work.

skorolev1 · ‎05-27-2015

How can I do that with Cisco SPA 8000 8-port voice gateway? I've been looking throughout Cisco Admin Guide for this device, and certificate importing was never mentioned. Can you give some guidance or where I should look for the information about how to import certificate to this device.

Dan Lukes · ‎05-27-2015

Hm, I have no SPA8000 here. Such feature has been implemented for both SPA[35]xx as well as SPA[12]xx product line about 3 years ago. So I assumed it has been implemented for SPA8000 as well.

OK. Assuming you are running latest firmware version - search for "Custom CA RULE" and "Custom CA URL" option. If it is not here, then such feature has not been implemented on SPA8000. In such case the Cisco issued certificate is the only option for you.

skorolev1 · ‎05-29-2015

Thanks, man!

It seems SPA 8000 don't have this option, even with the latest firmware.

Anyway, thanks, beer on me, if you ever gonna visit Moscow :)

Dan Lukes · ‎05-29-2015

I visited Moscow about 30 years ago. Not sure I will return in near time ;-)

Use Cisco issued certificate. The most complicated part is to find sales representative. Call SMB support for help if you will not found one.

Dan Miley · ‎05-27-2015

the process for uploading certs to the ATA is in the provisioning guide. Chapter 4 pg 77 Certificates described on p 80

https://supportforums.cisco.com/docs/DOC-9894

to request the cisco cert, the process is here

https://supportforums.cisco.com/document/36871/certificate-signing-request-csr-signed-ssl-certificates-spa-voice-products

Basically, ou have to create the Certificate signing request and send it, and a list of device types you are provisioning, to your distributor/reseller.

they will forward it to Cisco who will send the cert.

** or **

you could use the SPA Profile Compiler (SPC) to encrypt / Hash (AES or rc4) your configuration files so they are encrypted, but still send them over HTTPS. This will encrypt the files to prevent man in the middle snooping. What you do not get is authentication. ( Is the client downloading the file yours, and is the server providing the file to the ATA yours. )

SPC tool for the 8000 here.

http://www.cisco.com/c/en/us/support/unified-communications/spa8000-8-port-ip-telephony-gateway/model.html#~tab-downloads

Info about the SPC tool is in the provisioning guide linked above p. 51

Hope this helps, Flag it if it does

Dan

Dan Lukes · ‎05-27-2015

May be I missed something, but in ...

The SPA30x and SPA5xx IP Phone, and PAP2T, SPA2102, SPA3102, SPA8x00 and WRP400 ATA Provisioning Guide:
http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/csbpvga/ata/provisioning/guide/Provisioning.pdf

... provisioning guide I see no word describing how to import of own CA certificate into device.

skorolev1 · ‎05-29-2015

I think the SPA 8000 series is suffering from lack of attention. It's firmware was updated in July 2013, so no wonder that certificates importing feature is missing.

Oh, and thank you for the SPC hint, we'll try this if there will be problems with finding sales representative in Russia. Few of our suppliers were puzzled by our request for cert.