Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1113
Views
0
Helpful
9
Replies

Obtaining an SSL cert for SPA5xx phone provisioning

brantwinter2004
Level 1
Level 1

‎03-09-2016 05:39 AM - edited ‎03-21-2019 08:53 AM

Hi - I sent emails to Cisco last year trying to find out how I go about getting an SMB Cisco rep to submit a CSR for me. I submitted my question to ciscosb-certadmin@cisco.com in September 2015 and got a response from 'Joe <jvallada@cisco.com>' a month later asking if anyone had helped me. I responded back in Sep that no one had contacted me. I attempted to email him again today only to find his email address bounces and it looks as though he no longer works for Cisco.

I am not a high volume purchaser and purchase SPA phones from a local reseller. How do I find a Cisco SMB rep to submit a CSR for me ?

These are small business devices. Why is it so hard for small business to securely provision these devices ? The thing I find amazing is that end user admins we can't upload our own CA root certs to support internal CA's - these are small business devices NOT enterprise phones.

Labels:
0 Helpful
9 Replies 9

Dan Lukes
VIP Alumni
VIP Alumni

‎03-11-2016 03:50 AM

Well, it's one of most secrets information. You are not the first man asking it here. It seems No one know how to identify appropriate Cisco sales representative. Moreover - such representative may not exist for particular area at all (as in my case).

Call SMB support center for help.

0 Helpful

brantwinter2004
Level 1
Level 1
In response to Dan Lukes

‎03-11-2016 03:50 AM

Cisco now have a self service portal for users to upload the CSR and issue their own certs. Worked for me today.

0 Helpful

Dan Lukes
VIP Alumni
VIP Alumni
In response to brantwinter2004

‎03-11-2016 02:48 PM

So it's open to public now ? Glad to hear. It's new to me.

I has been approved to ask certificate directly, with no Cisco sales representative influence few years ago. So I assumed my access to such portal is based on it and casual user have no access.

0 Helpful

brantwinter2004
Level 1
Level 1
In response to Dan Lukes

‎03-12-2016 04:34 AM

It would have been far easier for Cisco to just allow us to upload (via initial provisioning) own own internal CA root certs and then customers could have issue their own certs.

0 Helpful

Dan Lukes
VIP Alumni
VIP Alumni
In response to brantwinter2004

‎03-12-2016 06:24 AM

It seems you missed it is possible.

You need not to use https for provisioning - so you can fetch so called 'initial configuration' over http.

Moreover, such configuration can be encrypted for the particular phone, so if fetched by an rogue user or inappropriate phone, it will not be readable for them.

But it is not as secure as configuration encrypted and signed by SSL. Thus skilled rogue user will be able to arrange MITM attack against your phone network.

In short, the feature you wish for is here for long time.

0 Helpful

brantwinter2004
Level 1
Level 1
In response to Dan Lukes

‎03-12-2016 06:26 AM

I understand I can encrypt the xml files and I also know I can retrieve them via http only. 

However, I wish to retrieve xml configs over https connections only.

0 Helpful

Dan Lukes
VIP Alumni
VIP Alumni
In response to brantwinter2004

‎03-12-2016 07:34 AM

For SSL you need certificate recognized to be trusted. So how you wish the initial SSL provisioning will be done ?

0 Helpful

brantwinter2004
Level 1
Level 1
In response to Dan Lukes

‎03-12-2016 07:47 AM

Easy, the server cert I have has been issued by the Cisco CA. However, I dont know if 7.3.7 firmware has the appropriate root certs in order to trust my server cert.

0 Helpful

Dan Lukes
VIP Alumni
VIP Alumni
In response to brantwinter2004

‎03-12-2016 09:39 AM

OK. I has been confused by following sentence:

It would have been far easier for Cisco to just allow us to upload (via initial provisioning) own own internal CA root certs and then customers could have issue their own certs.

Own CA can't be used for initial provisioning. But once you have certificate suitable for initial provisioning, you need no own CA for casual provisioning ...

But back to the most current topic.

For the purpose of this thread, Cisco use four difference certificate authorities to issue certificates to user. Three of them are recognized trusted by latest SPA50x firmware. It's up to you to ask certificate signed by particular CA according yours wishes.

The Cisco 2k Small Business CA based certificate you have is supported from firmware 7.5.6 onward.  So it will not work with 7.3.7 firmware. Sipura CA signed certificate will work on 7.3.7 as well as on latest firmware. I'm unsure about Cisco Small Business (SB) CA based certificate - it may or may not work with 7.3.7 - I'm unsure about the oldest firmware version that recognize it. Just try it.

But cave - * downgrade warning *.

If you consider downgrade fully configured phone with so new firmware to so old firmware, it may be bricked with no way to recover (be sure I know it). There's no official guide for safe downgrade. To decrease risk ...

  • Always revert phone to factory default before non trivial downgrade.
  • Use more smaller steps down with intermediate resets to factory default to reach target version.
  • No, I don't know what firmware versions are safe to miss during multi-steps downgrade

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents