Cisco IP Phone 7940 and 7960 models do not have MICs; they only work with LSCs. The Cisco IP Phone 7970 can use either MICs or LSCs. If an LSC is installed in a Cisco IP Phone 7970, the LSC has higher priority than the MIC.
CallManager uses the CAPF to issue LSCs. CAPF can act as a Certificate Authority (CA) itself, signing the LSCs, or it can act as a proxy to an external CA, having the external CA signing the LSCs. You can configure the CAPF service at the CAPF service parameter web page shown in Figure 27-4. To access this page, choose Cisco CallManager Administration > Service > Service Parameter > Cisco Certificate Authority Proxy Function.
Figure 27-4. Working with Locally Significant Certificates
You can set the certificate issuer (CAPF itself or an external CA) and IP address of the external CA (if used). You can also modify some default values, such as the Rivest, Shamir, and Adleman (RSA) key size or the certificate lifetime.
When you want to install or upgrade LSCs for Cisco IP Phones that you are configuring, use the relevant CAPF settings at the Phone Configuration window by choosing Cisco CallManager Administration > Device > Phone. All possible settings are found in the Certificate Authority Proxy Function (CAPF) Information area.
There are four operations options in the Certificate Operation field (as shown in Figure 27-5):
Figure 27-5. Selecting a Certificate Operation
In the Authentication Mode field (as shown in Figure 27-6), you can choose one of four possible authentication modes:
Figure 27-6. Selecting the IP Phone Authentication Method
Some authentication options will only appear under specific phone models. For example, the "By Existing Certificate (Precedence to MIC)" option is unavailable on older Cisco IP Phones such as the 7940 and 7960.
Issuing a Phone Certificate Using an Authentication String
Figure 27-7 illustrates an example for a first-time installation of a certificate with a manually entered authentication string. For such a scenario, set the Certificate Operation field to Install/Upgrade and the Authentication Mode to By Authentication String. You can manually enter a string of four to ten digits, or click the Generate String button to create an authentication string (and populate the Authentication String field). After you click Update and reset the IP Phone, the IP Phone is ready for enrollment. However, enrollment is not automatically triggered; it has to be initiated by the user (from the Settings menu of the Cisco IP Phone).
Figure 27-7. Issuing a Phone Certificate Using an Authentication String
The Settings menu can also be used to gain information about the IP telephony system or remove the CTL. Usually, you do not want IP Phone users to have access to such options, and, therefore, access to the settings on the IP Phone is often restricted or disabled. LSC enrollment with authentication by authentication string is not possible if settings access is not (fully) enabled. If access to settings is restricted or disabled, you have to enable it for the enrollment and then return it to its previous value.
When a user starts the enrollment procedure, the user has to enter the authentication string configured, and if the process is successful, the certificate is issued to the IP Phone.
On a Cisco IP Phone 7940, the user would complete these steps:
Press the Settings button to access the Settings menu.
Scroll to the Security Configuration option and press the Select softkey to display the Security Configuration menu.
Press **# to unlock the IP Phone configuration.
Scroll to LSC and press the Update softkey to start the enrollment.
Enter the authentication string and press the Submit softkey to authenticate the IP Phone to the CAPF when prompted to do so.
The IP Phone generates its RSA keys and requests a certificate signed by the CAPF. When the signed certificate is installed, the message "Success" appears at the lower-left corner of the Cisco IP Phone display.
Issuing a Phone Certificate Using the CAPF
You might use the CallManager CAPF for a certificate upgrade using an existing LSC to authenticate the communication. A reason for such an upgrade could be that an LSC will soon reach its expiration date. By issuing a new LSC shortly before the expiration of the existing LSC, the IP Phone can use the existing LSC for the upgrade (which avoids entering a manual authentication string at the IP Phone).
For such a scenario, set the Certificate Operation field to Install/Upgrade and the Authentication Mode to By Existing Certificate (Precedence to LSC). After you click Update and reset the Cisco IP Phone, the IP Phone automatically contacts the CAPF for the download of the new certificate. The existing certificate is used to authenticate the new enrollment, and there is no need for a manually entered authentication string.
Part I: Cisco CallManager Fundamentals
Introduction to Cisco Unified Communications and Cisco Unified CallManager
Cisco Unified CallManager Clustering and Deployment Options
Cisco Unified CallManager Installation and Upgrades
Part II: IPT Devices and Users
Cisco IP Phones and Other User Devices
Configuring Cisco Unified CallManager to Support IP Phones
Cisco IP Telephony Users
Cisco Bulk Administration Tool
Part III: IPT Network Integration and Route Plan
Cisco Catalyst Switches
Configuring Cisco Gateways and Trunks
Cisco Unified CallManager Route Plan Basics
Cisco Unified CallManager Advanced Route Plans
Configuring Hunt Groups and Call Coverage
Implementing Telephony Call Restrictions and Control
Implementing Multiple-Site Deployments
Part IV: VoIP Features
Configuring User Features, Part 1
Configuring User Features, Part 2
Configuring Cisco Unified CallManager Attendant Console
Configuring Cisco IP Manager Assistant
Part V: IPT Security
Securing the Windows Operating System
Securing Cisco Unified CallManager Administration
Preventing Toll Fraud
Hardening the IP Phone
Understanding Cryptographic Fundamentals
Understanding the Public Key Infrastructure
Understanding Cisco IP Telephony Authentication and Encryption Fundamentals
Configuring Cisco IP Telephony Authentication and Encryption
Part VI: IP Video
Introducing IP Video Telephony
Configuring Cisco VT Advantage
Part VII: IPT Management
Introducing Database Tools and Cisco Unified CallManager Serviceability
Configuring Alarms and Traces
Using Additional Management and Monitoring Tools
Part VIII: Appendix
Appendix A. Answers to Review Questions