Working with Locally Significant Certificates

Cisco IP Phone 7940 and 7960 models do not have MICs; they only work with LSCs. The Cisco IP Phone 7970 can use either MICs or LSCs. If an LSC is installed in a Cisco IP Phone 7970, the LSC has higher priority than the MIC.

CallManager uses the CAPF to issue LSCs. CAPF can act as a Certificate Authority (CA) itself, signing the LSCs, or it can act as a proxy to an external CA, having the external CA signing the LSCs. You can configure the CAPF service at the CAPF service parameter web page shown in Figure 27-4. To access this page, choose Cisco CallManager Administration > Service > Service Parameter > Cisco Certificate Authority Proxy Function.

Figure 27-4. Working with Locally Significant Certificates

You can set the certificate issuer (CAPF itself or an external CA) and IP address of the external CA (if used). You can also modify some default values, such as the Rivest, Shamir, and Adleman (RSA) key size or the certificate lifetime.

When you want to install or upgrade LSCs for Cisco IP Phones that you are configuring, use the relevant CAPF settings at the Phone Configuration window by choosing Cisco CallManager Administration > Device > Phone. All possible settings are found in the Certificate Authority Proxy Function (CAPF) Information area.

There are four operations options in the Certificate Operation field (as shown in Figure 27-5):

• Install/Upgrade This operation allows the installation of an LSC (if the IP Phone does not already have an LSC) and the upgrade (replacement) of an existing LSC (if the IP Phone already has an LSC).
• Delete This operation allows the removal of an existing LSC from a Cisco IP Phone.
• Troubleshoot This operation retrieves all existing IP Phone certificates from the IP Phone and stores them in CAPF trace files. There are separate CAPF trace files for MICs and for LSCs. The CAPF trace files are located in C:Program FilesCiscoTraceCAPF.
• No Pending Operation This is the default value. You can also change back to this value when you want to cancel a previously configured operation that has not yet been executed.

Figure 27-5. Selecting a Certificate Operation

In the Authentication Mode field (as shown in Figure 27-6), you can choose one of four possible authentication modes:

• By Authentication String This authentication mode is the default and requires the Cisco IP Phone user to manually initiate the installation of an LSC. The user must authenticate to Cisco CallManager by the authentication string that has been set by the administrator in the Authentication String field. To enable the user to enter the correct authentication string, the administrator has to communicate the configured authentication string to the user.
• By Null String This authentication mode disables Cisco IP Phone authentication for the download of the IP Phone certificate (enrollment). The enrollment of the IP Phone should be done over a trusted network only when this setting is used. Because no user intervention is needed, the enrollment is done automatically the next time the Cisco IP Phone boots or is reset.
• By Existing Certificate (Precedence to LSC) This authentication mode uses an existing certificate (with precedence to the LSC if both a MIC and an LSC are present in the IP Phone) for IP Phone authentication. Because no user intervention is needed, the enrollment is done automatically the next time that the IP Phone boots or is reset.
• By Existing Certificate (Precedence to MIC) This authentication mode uses an existing certificate (with precedence to MIC if both a MIC and an LSC are present in the IP Phone) for IP Phone authentication. Because no user intervention is needed, the enrollment is done automatically the next time that the IP Phone boots or is reset.

Figure 27-6. Selecting the IP Phone Authentication Method

Note

Some authentication options will only appear under specific phone models. For example, the "By Existing Certificate (Precedence to MIC)" option is unavailable on older Cisco IP Phones such as the 7940 and 7960.

 

Issuing a Phone Certificate Using an Authentication String

Figure 27-7 illustrates an example for a first-time installation of a certificate with a manually entered authentication string. For such a scenario, set the Certificate Operation field to Install/Upgrade and the Authentication Mode to By Authentication String. You can manually enter a string of four to ten digits, or click the Generate String button to create an authentication string (and populate the Authentication String field). After you click Update and reset the IP Phone, the IP Phone is ready for enrollment. However, enrollment is not automatically triggered; it has to be initiated by the user (from the Settings menu of the Cisco IP Phone).

Figure 27-7. Issuing a Phone Certificate Using an Authentication String

Note

The Settings menu can also be used to gain information about the IP telephony system or remove the CTL. Usually, you do not want IP Phone users to have access to such options, and, therefore, access to the settings on the IP Phone is often restricted or disabled. LSC enrollment with authentication by authentication string is not possible if settings access is not (fully) enabled. If access to settings is restricted or disabled, you have to enable it for the enrollment and then return it to its previous value.

When a user starts the enrollment procedure, the user has to enter the authentication string configured, and if the process is successful, the certificate is issued to the IP Phone.

On a Cisco IP Phone 7940, the user would complete these steps:

Step 1.	Press the Settings button to access the Settings menu.
Step 2.	Scroll to the Security Configuration option and press the Select softkey to display the Security Configuration menu.
Step 3.	Press **# to unlock the IP Phone configuration.
Step 4.	Scroll to LSC and press the Update softkey to start the enrollment.
Step 5.	Enter the authentication string and press the Submit softkey to authenticate the IP Phone to the CAPF when prompted to do so.
Step 6.	The IP Phone generates its RSA keys and requests a certificate signed by the CAPF. When the signed certificate is installed, the message "Success" appears at the lower-left corner of the Cisco IP Phone display.

Issuing a Phone Certificate Using the CAPF

You might use the CallManager CAPF for a certificate upgrade using an existing LSC to authenticate the communication. A reason for such an upgrade could be that an LSC will soon reach its expiration date. By issuing a new LSC shortly before the expiration of the existing LSC, the IP Phone can use the existing LSC for the upgrade (which avoids entering a manual authentication string at the IP Phone).

For such a scenario, set the Certificate Operation field to Install/Upgrade and the Authentication Mode to By Existing Certificate (Precedence to LSC). After you click Update and reset the Cisco IP Phone, the IP Phone automatically contacts the CAPF for the download of the new certificate. The existing certificate is used to authenticate the new enrollment, and there is no need for a manually entered authentication string.