Cisco CP-7911G-CH1 System Administrator Manual page 196

How to Configure Secure Unified SRST
Cisco Unified Communications Manager 4.X.X and Earlier Versions
For systems running Cisco Unified Communications Manager 4.X.X and earlier versions, the secure
Cisco Unified SRST Router must retrieve phone certificates so that it can authenticate Cisco Unified IP
phones during the TLS handshake. Different certificates are used for different Cisco Unified IP Phones.
Table 1
Certificates must be imported manually from Cisco Unified Communications Manager to the
Cisco Unified SRST Router. The number of certificates depends on the Cisco Unified Communications
Manager configuration. Manual enrollment refers to cut and paste or TFTP. For manual enrollment
instructions, see the
enrollment procedure for each phone or PEM file.
For Cisco Unified Communications Manager 4.X.X and earlier versions, certificates are found by going
to the menu bar in Cisco Unified Communications Manager, choose Program Files > Cisco >
Certificates.
Open the .0 files with Windows Wordpad or Notepad, and copy and paste the contents to the SRST router
console. Then, repeat the procedure with the .pem file. Copy all of the contents that appear between
"-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----".
For certification operation on Cisco Unified Communications Operating System Administration Guide,
Release 6.1(1), see
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/cucos/6_1_1/cucos/iptpch6.html.
Cisco Unified Communications Manager 5.0 and Later Versions
Systems running Cisco Unified CM 5.0 and later versions require four certificates (CAPF, CiscoCA,
CiscoManufactureCA, and CiscoRootCA2048) in addition to the requirements listed in
must be copied and pasted to Cisco Unified SRST Routers.
CiscoRootCA is also called CiscoRoot2048CA.
Note
Prerequisites
You must have certificates available when the last configuration command (crypto pki authenticate)
issues the following prompt:
Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself
For Cisco Unified CM 5.0 and later versions, perform the following steps:
Login to Cisco Unified Communications Manager.
Step 1
Go to Security > Certificate Management > Download Certificate/CTL.
Step 2
Select Download Trust Cert and click Next.
Step 3
Select CAPF-trust and click Next.
Step 4
Select CiscoCA and click Next.
Step 5
Click Continue.
Step 6
Step 7 Click the file name.
Cisco Unified SCCP and SIP SRST System Administrator Guide
196
lists the certificates needed for each type of phone.
Manual Certificate Enrollment (TFTP and Cut-and-Paste)
Configuring Secure SRST for SCCP and SIP
feature. Repeat the
Table
OL-13143-04
1, which