Https Certificates; Https Methodology; Ssl Server Certificate - Cisco 8800 Series Manual

HTTPS Certificates

Step 6
Click Submit All Changes.
Step 7 Observe the syslog trace to ensure a successful resync.
Step 8
Access the phone administration web page. See
Step 9 Select Voice > Provisioning.
Step 10 Verify that the GPP_D parameter contains the information that the script captured.
This information contains the product name, MAC address, and serial number if the test device carries a
unique certificate from the manufacturer. The information contains generic strings if the unit was manufactured
before firmware release 2.0.
A similar script can determine information about the resyncing device and then provide the device with
appropriate configuration parameter values.
HTTPS Certificates
The phone provides a reliable and secure provisioning strategy that is based on HTTPS requests from the
device to the provisioning server. Both a server certificate and a client certificate are used to authenticate the
phone to the server and the server to the phone.
In addition to Cisco issued certifications, the phone also accepts server certificates from a set of commonly
used SSL certificate providers.
To use HTTPS with the phone, you must generate a Certificate Signing Request (CSR) and submit it to Cisco.
The phone generates a certificate for installation on the provisioning server. The phone accepts the certificate
when it seeks to establish an HTTPS connection with the provisioning server.

HTTPS Methodology

HTTPS encrypts the communication between a client and a server, thus protecting the message contents from
other network devices. The encryption method for the body of the communication between a client and a
server is based on symmetric key cryptography. With symmetric key cryptography, a client and a server share
a single secret key over a secure channel that is protected by Public/Private key encryption.
Messages encrypted by the secret key can only be decrypted by using the same key. HTTPS supports a wide
range of symmetric encryption algorithms. The phone implements up to 256-bit symmetric encryption, using
the American Encryption Standard (AES), in addition to 128-bit RC4.
HTTPS also provides for the authentication of a server and a client engaged in a secure transaction. This
feature ensures that a provisioning server and an individual client cannot be spoofed by other devices on the
network. This capability is essential in the context of remote endpoint provisioning.
Server and client authentication is performed by using public/private key encryption with a certificate that
contains the public key. Text that is encrypted with a public key can be decrypted only by its corresponding
private key (and vice versa). The phone supports the Rivest-Shamir-Adleman (RSA) algorithm for public/private
key cryptography.

SSL Server Certificate

Each secure provisioning server is issued a secure sockets layer (SSL) server certificate that Cisco signs
directly. The firmware that runs on the phone recognizes only a Cisco certificate as valid. When a client
connects to a server by using HTTPS, it rejects any server certificate that is not signed by Cisco.
Cisco IP Phone 8800 Series Multiplatform Phone Administration Guide for Release 11.3(1) and Later
60
Access the Phone Web Interface, on page
Cisco IP Phone Provisioning
104.