Enabling Https - Linksys SPA2102-AU Provisioning Manual

Chapter 1 Provisioning Linksys VoIP Devices
For example, the following is the User-Agent request field from a SPA2102:
User-Agent: Linksys/SPA-2102-2.0.5 (88012BA01234)

Enabling HTTPS

For increased security managing remotely deployed units, the SPA supports HTTPS for provisioning. To
this end, each newly manufactured SPA carries a unique SLL Client Certificate (and associated private
key), in addition to a Linksys CA server root certificate. The latter allow the SPA to recognize authorized
provisioning servers, and reject non-authorized servers. On the other hand, the client certificate allows
the provisioning server to identify the individual SPA issuing the request.
In order for a service provider to manage SPA deployment using HTTPS, a server certificate needs to be
generated for each provisioning server to which the SPA resyncs using HTTPS. The server certificate
must be signed by the Linksys Server CA Root Key, whose certificate is carried by all deployed units.
To obtain a signed server certificate, the service provider must forward a certificate signing request to
Linksys, which signs and returns the server certificate for installation on the provisioning server.
The provisioning server certificate must contain in the subject Common Name (CN field) the FQDN of
the host running the server. It may optionally contain additional information following the host FQDN,
separated by a / character. The following are examples of CN entries that would be accepted as valid by
the SPA:
CN=sprov.callme.com
CN=pv.telco.net/mailto:admin@telco.net
CN=prof.voice.com/info@voice.com
In addition to verifying the certificate chain of the provisioning server certificate, the SPA tests the
server IP address against a DNS lookup of the server name specified in the server certificate.
A certificate signing request can be generated using the OpenSSL utility. The following shows an
example of the openssl command that produces a 1024-bit RSA public/private key pair and a certificate
signing request:
openssl req –new –out provserver.csr
This command generates the server private key in privkey.pem and a corresponding certificate signing
request in provserver.csr. In this example, the service provider keeps privkey.pem secret and submits
provserver.csr to Linksys for signing. Upon receiving the provserver.csr file, Linksys generates
provserver.crt, the signed server certificate.
In addition, Linksys also provides a Linksys CA Client Root Certificate to the service provider. This root
certificate certifies the authenticity of the client certificate carried by each SPA.
The unique client certificate offered by each SPA during an HTTPS session carries identifying
information embedded in its subject field. This information can be made available by the HTTPS server
to a CGI script invoked to handle secure requests. In particular, the certificate subject indicates the unit
product name (OU element), MAC address (S element), and serial number (L element). The following
is an example of these elements from a SPA2102 client certificate subject field:
OU=SPA-2102, L=88012BA01234, S=000e08abcdef
Early SPA units, manufactured before firmware 2.0.x, do not contain individual SSL client certificates.
When these units are upgraded to a firmware release in the 2.0.x tree, they become capable of connecting
to a secure server using HTTPS, but are only able to supply a generic client certificate if requested to do
so by the server. This generic certificate contains the following information in the SPA identifying fields:
OU=Linksys.com, L=Linksysgeneric, S=Linksysgeneric
Version 3.0
Provisioning Setup
Linksys SPA Provisioning Guide
1-13