Simple Certificate Enrollment Protocol (Scep) - Cisco 8861 Deployment Manual

Simple Certificate Enrollment Protocol (SCEP)

SCEP is the standard for automatically provisioning and renewing certificates avoiding manual installation and re-installation of
certificates on clients.
A Cisco IOS Registration Agent (RA) (e.g. Cisco IOS router) can serve as a proxy (e.g. SCEP RA) to the SCEP enabled CA
that is to issue certificates.
Need to ensure that the same CA chain is used for issuing certificates to the phones as well as for the RADIUS servers;
otherwise server validation could fail.
For initial certificate enrollment via SCEP, the Cisco IP Phone 8861 and 8865 needs to be connected to an Ethernet network
which has connectivity to the Cisco Unified Communications Manager.
The Cisco IP Phone 8861 & 8865 utilizes the following parameters defined in Cisco Unified Communications Manager for
SCEP requests.
The WLAN SCEP Server must be configured to include either the IP address or hostname of the SCEP RA.
The WLAN Root CA Fingerprint (SHA256 or SHA1) must be configured to include the fingerprint of the CA that issuing the
certificates. If the issuing CA in which the SCEP RA is enrolled to is a subordinate CA, then enter its fingerprint and not the
fingerprint of the root CA. The defined fingerprint is used to validate the received certificate.
Removing these parameters will disable SCEP.
The Cisco IP Phone 8861 & 8865 then sends a SCEP enroll request to the SCEP RA including the phone's Manufacturing
Installed Certificate (MIC) as the Proof of Identity (POI).
The SCEP RA validates the phone's MIC using the certificate of the subordinate CA that issued the phone's MIC, then passes it
to the RADIUS server for further device authentication.
The RADIUS server validates the device and sends a response to the SCEP RA.
The SCEP RA then forwards the enroll request to the CA if RADIUS authentication was successful.
The SCEP RA receives the user certificate from the CA and sends it to the phone after it receives a poll request from the phone.
The Cisco IP Phone 8861 and 8865 will periodically check the user and server certificate expiration periods.
Certificate renewal will occur when the expiration date is within 50 days.
If the CA certificate used to define the WLAN Root CA Fingerprint (SHA256 or SHA1) has expired, then the phone will
send a SCEP getca request for a new CA certificate, but the admin would need to update the fingerprint in the phone's
configuration within Cisco Unified Communication Manager to match the new CA certificate prior so it can be successfully
validated. The old CA certificate will then be removed if the new one is successfully received from the CA.
If the user certificate has expired, the phone will send a new SCEP enroll request to update the user certificate. The old user
certificate will then be removed if a new user certificate is successfully received from the CA.
Certificate Authority (CA) Configuration
Is recommended to use Microsoft® Certificate Authority (CA) servers.
Use the following guidelines to configure the Microsoft CA.
Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide
157