====== Public Key Infrastructure (PKI) ====== * CUCM services certificates are self-signed. This includes: * CallManager certificate * TFTP server certificate * Certificate Authority Proxy Function (CAPF) certficate * Manufacturing installed certificates (MICs) on Cisco 797x, 7961/5, 7941/5, 7911 models are signed by Cisco manufacturing CA * Locally signed certificates (LSCs) on support Cisco IP phone models (including the ones that support MICs) are signed by CAPF or by an external CA * For 7940 or 7960 (SCCP only) * If both LSC and MIC are presence, the LSC has higher priority * Secure SRST certificate is signed by external CA {{cucm-pki1.png|}} ===== CTL Client ===== * Therefore there are multiple independent PKI topologies * All need to be known and trusted * Certificate Trust List (CTL) contains all of these certificates and allows for verification of roots * list of certifiates issuers that a Cisco IP phone need to trust * Created by CTL client * Signed by the CTL client using a Security Token * At least two are requires for redundancy * Acts as an authorization list that specifies which certificates belong to which function (CAPF, CM, TFTP and Cisco CTL Client). * When to use the CTL client * Initial activation of PKI * Deactivate PKI * Changes to the CUCM or TFTP server * Add or remove * Rename * Change IP or certificates * After replacing or restoring * Adding/removing a security token {{cucm-pki2.png|}} * Add all the certificates including its own CTL Client certificate to the CTL. {{cucm-pki3.png|}} * Initial CTL download * This is insecure during the initial download as the phone does not have a CTL yet and will trust everyone. * Subsequent download can be verified by the CTL client certificate (public key) {{cucm-pki4.png|}} ===== CTL Usages ===== * Encrypted Signaling * SCCP or SIP over TLS * Certificate-based two-way authentication between IP phone and CUCM * IP Phone verifies self-signed CUCM certificate against Cisco CTL * LSC enrollment * Protected by TLS * Certificate-based authentication of CAPF to IP phone * IP phone verifies self-signed CAPF certificates against Cisco CTL * Signed IP phone configuration files * TFTP file is signed by private key of TFTP server * IP phone needs to know authentic public key of TFTP server which is in the CTL * Signed Cisco CTL file * Verify subsequent update to CTL file. * Cisco CTL file is signed by Cisco CTL client using the private key of one of its security tokens * Corresponding public key must be known in current Cisco CTL ===== Configuration ===== ==== Security Services ==== * Enable security services: * Cisco CTL Provider on all servers in the cluster running the CUCM service or TFTP service * CAPF (if LSC are deployed) on the publisher only {{cucm-pki5.png|}} ==== CTL Client ==== * CTL client is installed from CUCM Install Plugins * Install on Windows PC with USB port * Smart Card service has to be activated * Plug the Security Token into the USB port * Use the Cisco CTL client to activate security options: * Activate mixed mode {{cucm-pki6.png|}} * Create/Update a signed CTL {{cucm-pki7.png|}} ==== Install Device Certificate ==== * Configure devices for security * If Using MICs, nothing to do as it is pre-installed * To deploy LSCs into IP Phone under **Device > Phones** * Four possible operations * Install/Upgrade * Delete * Troubleshoot * Let us retrieve all the existing IP phones certificates and store in the CAPF trace file * No Pending Operation * Four possible authentication modes - denotes how the certificate is installed. * Authentication String (default) * IP phone user to manually install the LSC * Null String * Disable the IP phone authentication for the download of the certificate * Existing LSC * Existing MIC {{cucm-pki9.png|}} * In the above example * Reset the IP Phone * The user initiates installation of certificate from IP phone Setting menu * The user has to enter the authentication string (after a prompt) * If successful, the certificate is issued. * Set device security mode (authenticated or encrypted) * Enable configuration file encryption (if used). ===== CAPF Service Parameters ===== {{cucm-pki8.png|}}