Using Https; Server Certificates - Cisco Small Business SPA509G Administration Manual

Provisioning Basics

Using HTTPS

Using HTTPS
Cisco Small Business SPA300 Series, SPA500 Series, and WIP310 IP Phone Administration Guide
The Cisco IP phone provides a reliable and secure provisioning strategy based on
HTTPS requests from the Cisco IP phone to the provisioning server, using both
server and client certificates for authenticating the client to the server and the
server to the client.
To use HTTPS with Cisco IP phones, you must generate a Certificate Signing
Request (CSR) and submit it to Cisco. The Cisco IP phone generates a certificate
for installation on the provisioning server that is accepted by Cisco IP phones
when they seek to establish an HTTPS connection with the provisioning server.
The Cisco IP phone implements up to 256-bit symmetric encryption, using the
American Encryption Standard (AES), in addition to 128-bit RC4. The Cisco IP
phone supports the Rivest, Shamir, and Adelman (RSA) algorithm for public/
private key cryptography.

Server Certificates

Each secure provisioning server is issued an secure sockets layer (SSL) server
certificate, directly signed by Cisco. The firmware running on the Cisco IP phone
clients recognizes only these certificates as valid. The clients try to authenticate
the server certificate when connecting via HTTPS, and reject any server
certificate not signed by Cisco.
This mechanism protects the service provider from unauthorized access to the
Cisco IP phone endpoint, or any attempt to spoof the provisioning server. This
might allow the attacker to reprovision the Cisco IP phone to gain configuration
information, or to use a different VoIP service. Without the private key
corresponding to a valid server certificate, the attacker is unable to establish
communication with a Cisco IP phone.
6
178