Use Https; Server Certificates; Client Certificates; Obtain A Server Certificate - Cisco 8831 Administration Manual

Chapter 5 Provisioning

Use HTTPS

The Cisco Unified IP Conference Phone 8831 for Third-Party Call Control provides a reliable and secure
provisioning strategy based on HTTPS requests from the phone to the provisioning server, using both
server and client certificates for authenticating the client to the server and the server to the client.
To use HTTPS with the phone, you must generate a Certificate Signing Request (CSR) and submit it to
Cisco. The Cisco Unified IP Conference Phone 8831 for Third-Party Call Control generates a certificate
for installation on the provisioning server that is accepted by the conference phones when they seek to
establish an HTTPS connection with the provisioning server.
The phone implements up to 256-bit symmetric encryption, using the American Encryption Standard
(AES), in addition to 128-bit RC4. The phone supports the Rivest, Shamir, and Adelman (RSA)
algorithm for public/private key cryptography.

Server Certificates

Each secure provisioning server is issued an secure sockets layer (SSL) server certificate, directly signed
by Cisco. The firmware running on the Cisco IP phone clients recognizes only these certificates as valid.
The clients try to authenticate the server certificate when connecting via HTTPS, and reject any server
certificate not signed by Cisco.
This mechanism protects the service provider from unauthorized access to the Cisco IP phone endpoint,
or any attempt to spoof the provisioning server. This might allow the attacker to reprovision the Cisco
IP phone to gain configuration information, or to use a different VoIP service. Without the private key
corresponding to a valid server certificate, the attacker is unable to establish communication with a Cisco
IP phone.

Client Certificates

In addition to a direct attack on the phone, an attacker might attempt to contact a provisioning server
using a standard web browser, or other HTTPS client, to obtain the phone configuration profile from the
provisioning server. To prevent this kind of attack, each phone carries a unique client certificate, also
signed by Cisco, including identifying information about each individual endpoint. A certificate
authority root certificate capable of authenticating the device client certificate is given to each service
provider. This authentication path allows the provisioning server to reject unauthorized requests for
configuration profiles.

Obtain a Server Certificate

To obtain a server certificate:
Contact a Cisco support person who will work with you on the certificate process. If you are not working
Step 1
with a specific support person, you can email your request to ciscosb-certadmin@cisco.com.)
Generate a private key that will be used in a CSR (Certificate Signing Request). This key is private and
Step 2
you do not need to provide this key to Cisco support. Use open source "openssl" to generate the key. For
example:
openssl genrsa -out <file.key> 1024
Cisco Unified IP Conference Phone 8831 for Third-Party Call Control Administration Guide
Use HTTPS
5-3