Table of Contents
Advertisement
Provisioning Cisco Small Business VoIP Devices
Provisioning Setup
Cisco Small Business IP Telephony Devices Provisioning Guide
HTTPS
For increased security managing remotely deployed units, the IP Telephony
device supports HTTPS for provisioning. Each newly manufactured IP Telephony
device carries a unique SLL Client Certificate (and associated private key), in
addition to a Sipura CA server root certificate. The latter allows the IP Telephony
device to recognize authorized provisioning servers, and reject non-authorized
servers. On the other hand, the client certificate allows the provisioning server to
identify the individual device that issues the request.
For a service provider to manage deployment by using HTTPS, a server certificate
must be generated for each provisioning server to which the IP Telephony device
resyncs by using HTTPS. The server certificate must be signed by the Cisco
Server CA Root Key, whose certificate is carried by all deployed units. To obtain a
signed server certificate, the service provider must forward a certificate signing
request to Cisco, which signs and returns the server certificate for installation on
the provisioning server.
The provisioning server certificate must contain in the subject, the Common Name
(CN) field, and the FQDN of the host running the server. It might optionally contain
additional information following the host FQDN, separated by a slash (/) character.
The following examples are of CN entries that are accepted as valid by the IP
Telephony device:
CN=sprov.callme.com
CN=pv.telco.net/mailto:admin@telco.net
CN=prof.voice.com/info@voice.com
In addition to verifying the server certificate, the IP Telephony device tests the
server IP address against a DNS lookup of the server name specified in the server
certificate.
A certificate signing request can be generated using the OpenSSL utility. The
following example shows the openssl command that produces a 1024-bit RSA
public/private key pair and a certificate signing request:
openssl req –new –out provserver.csr
This command generates the server private key in privkey.pem and a
corresponding certificate signing request in provserver.csr. In this example, the
service provider keeps the privkey.pem secret and submits provserver.csr to
Cisco for signing. Upon receiving the provserver.csr file, Cisco generates
provserver.crt; the signed server certificate.
1
23
Advertisement
Table of Contents
