To obtain a signed certificate, an IP phone needs to enroll with the entity that will issue (sign) the certificate. During enrollment, the phone will get the certificate of the issuer and then send its data to the issuer asking for a (signed) certificate. IP phone enrollment depends on the type of certificate.
With MICs, enrollment was already done by Cisco manufacturing during production. When the IP phone is shipped to the customer, it already has its public and private keys, a certificate issued by the Cisco manufacturing CA, and the certificate of the Cisco manufacturing CA installed. No other PKI provisioning tasks are required. MICs always remain on the phone, even if an LSC is added.
With LSCs, enrollment has to be done by the customer.
If the IP phone has both a MIC and an LSC, the LSC has priority.
CAPF Acting as a CA
To obtain an LSC from the CAPF acting as a CA, an IP phone has to enroll with the CAPF, as shown in Figure 26-9.
Figure 26-9. CAPF Enrollment Process
The CAPF enrollment process is as follows:
CAPF Acting as a Proxy to an External CA
If an IP phone should obtain an LSC from an external CA using the CAPF as a proxy, the IP phone has to enroll with the external CA, as shown in Figure 26-10.
Figure 26-10. CAPF External CA Enrollment Process
The external CA enrollment process occurs as follows: