Table of Contents
Advertisement
Provisioning Cisco Small Business VoIP Devices
Provisioning Setup
Cisco Small Business IP Telephony Devices Provisioning Guide
In addition, Cisco provides a Sipura CA Client Root Certificate to the service
provider. This root certificate certifies the authenticity of the client certificate
carried by each IP Telephony device.
The unique client certificate offered by each device during an HTTPS session
carries identifying information embedded in its subject field. This information can
be made available by the HTTPS server to a CGI script invoked to handle secure
requests. In particular, the certificate subject indicates the unit product name (OU
element), MAC address (S element), and serial number (L element). The following
example from a SPA962 client certificate subject field shows these elements:
OU=SPA-962, L=88012BA01234, S=000e08abcdef
Early units, manufactured before firmware 2.0.x, do not contain individual SSL
client certificates. When these units are upgraded to a firmware release in the
2.0.x tree, they become capable of connecting to a secure server using HTTPS,
but are only able to supply a generic client certificate if requested to do so by the
server. This generic certificate contains the following information in the identifying
fields:
OU=cisco.com, L=ciscogeneric, S=ciscogeneric
To determine if an IP Telephony device carries an individualized certificate, use the
$CCERT provisioning macro variable. The variable value expands to either
Installed or Not Installed, according to the presence or absence of a unique client
certificate. In the case of a generic certificate, it is possible to obtain the serial
number of the unit from the HTTP request header in the User-Agent field.
HTTPS servers can be configured to request SSL certificates from connecting
clients. If enabled, the server can verify the client certificate by using the Sipura
CA Client Root Certificate supplied by Cisco. It can then provide the certificate
information to a CGI for further processing.
The location for storing certificates might vary. For example, on an Apache
installation, the file paths for storing the provisioning server–signed certificate, its
associated private key, and the Sipura CA client root certificate are as follows:
# Server Certificate:
SSLCertificateFile /etc/httpd/conf/provserver.crt
# Server Private Key:
SSLCertificateKeyFile /etc/httpd/conf/provserver.key
# Certificate Authority (CA):
SSLCACertificateFile /etc/httpd/conf/spacroot.crt
1
24
Advertisement
Table of Contents
