Cisco SPA1112 Provisioning Manual page 42

In-House Preprovisioning and Provisioning Servers
Provisioning Server Setup
Provisioning Guide for Cisco SPA100 and SPA200 Series Analog Telephone Adapters
When the ATA is configured to resync to a configuration profile by using HTTP, it is
recommended that the profile be encrypted to protect confidential information.
The ATA supports 256-bit AES in CBC mode to decrypt profiles. Encrypted
profiles downloaded by the ATA by using HTTP avoid the danger of exposing
confidential information contained in the configuration profile. This resync mode
produces a lower computational load on the provisioning server when compared
to using HTTPS.
HTTPS Provisioning
For increased security managing remotely deployed units, the ATA supports
HTTPS for provisioning. Each ATA carries a unique SLL Client Certificate (and
associated private key), in addition to a Sipura CA server root certificate. The latter
allows the ATA to recognize authorized provisioning servers, and reject non-
authorized servers. On the other hand, the client certificate allows the provisioning
server to identify the individual device that issues the request.
For a service provider to manage deployment by using HTTPS, a server certificate
must be generated for each provisioning server to which an ATA resyncs by using
HTTPS. The server certificate must be signed by the Cisco Server CA Root Key,
whose certificate is carried by all deployed units. To obtain a signed server
certificate, the service provider must forward a certificate signing request to
Cisco, which signs and returns the server certificate for installation on the
provisioning server.
The provisioning server certificate must contain the Common Name (CN) field, and
the FQDN of the host running the server in the subject. It might optionally contain
information following the host FQDN, separated by a slash (/) character. The
following examples are of CN entries that are accepted as valid by the ATA:
CN=sprov.callme.com
CN=pv.telco.net/mailto:admin@telco.net
CN=prof.voice.com/info@voice.com
In addition to verifying the server certificate, the ATA tests the server IP address
against a DNS lookup of the server name specified in the server certificate.
A certificate signing request can be generated by using the OpenSSL utility. The
following example shows the openssl command that produces a 1024-bit RSA
public/private key pair and a certificate signing request:
openssl req –new –out provserver.csr
3
42