Table of Contents
Advertisement
Configuring Secure SRST for SCCP and SIP
Table 1
Supported Cisco Unified IP Phones and Certificates
Cisco Unified IP Phone 7940
The phone receives locally significant
certificate (LSC) from Certificate
Authority Proxy Function (CAPF) in
Distinguished Encoding Rules (DER)
format.
•
59fe77ccd.0
The filename may change based on
the CAPF certificate subject name
and the CAPF certificate issuer.
If Cisco Unified Communications
Manager is using a third-party
certificate provider, there can be
multiple .0 files (from two to ten).
Each .0 certificate file must be
imported individually during the
configuration.
Manual enrollment supported only.
Cisco IOS Credentials Server on Secure SRST Routers
Secure SRST introduces a credentials server that runs on a secure SRST router. When the client,
Cisco Unified Communications Manager, requests a certificate through the TLS channel, the credentials
server provides the SRST router certificate to Cisco Unified Communications Manager.
Cisco Unified Communications Manager inserts the SRST router certificate in the Cisco Unified IP
Phone configuration file and downloads the configuration files to the phones. The secure Cisco Unified
IP Phone uses the certificate to authenticate the SRST router during fallback operations. The credentials
service runs on default TCP port 2445.
Three Cisco IOS commands configure the credentials server in call-manager-fallback mode:
•
•
•
Two Cisco IOS commands provide credential server debugging and verification capabilities:
•
•
Generating a Certificate for the Credentials Server
In configuring the credentials server on the Unified Secure SRST, a certificate is required to complete
the "trustpoint <trustpoint name>" configuration entry.
OL-13143-04
Cisco Unified IP Phone 7960
The phone receives locally significant
certificate (LSC) from Certificate
Authority Proxy Function (CAPF) in
Distinguished Encoding Rules (DER)
format.
•
59fe77ccd.0
The filename may change based on
the CAPF certificate subject name
and the CAPF certificate issuer.
If Cisco Unified Communications
Manager is using a third-party
certificate provider, there can be
multiple .0 files (from two to ten).
Each .0 certificate file must be
imported individually during the
configuration.
Manual enrollment supported only.
credentials
ip source-address (credentials)
trustpoint (credentials)
debug credentials
show credentials
Information About Configuring Secure SRST
Cisco Unified IP Phone 7970
The phone contains a manufacturing
installed certificate (MIC) used for device
authentication. If the Cisco 7970
implements MIC, two public certificate
files are needed:
•
CiscoCA.pem (Cisco Root CA, used
to authenticate the certificate.)
Note
a69d2e04.0, in Privacy Enhanced
•
Mail (PEM) format
If Cisco Unified Communications
Manager is using a third-party
certificate provider, there can be
multiple .0 files (from two to ten).
Each .0 certificate file must be
imported individually during the
configuration.
Manual enrollment supported only.
Cisco Unified SCCP and SIP SRST System Administrator Guide
The name of the manufacturing
certificate can vary depending on
your configuration.
181
Advertisement
Table of Contents
Troubleshooting
