====== Secure SRST ======
  * Allows IP phones to use TLS signaling and SRTP media during SRST mode
  * Prevents impersonation of SRST gateway and IP Phones
  * Prevents falsification and eavesdropping
  * The SRST certificate must be obtained from an external CA
    * This can even be an IOS router running the CA on the same SRST router
  * Trust relationship
    * IP Phones must be able to verify the Secure SRST Gateway
      * Secure SRST certificate is **NOT Verified** by its signature (using the public key of issuing CA)
        * Therefore we don't need to upload the CA certificate to CUCM only the SRST certificate
      * The SRST certificate is obtained by CUCM at configuration time (using the credential service at the gateway)
      * CUCM adds received certificate to phone configuration files
    * Secure SRST Gateway must be able to verify the IP phones
      * IP phone certificates is **Verified** using the CAPF or Cisco CA certificate
      * CAPF and Cisco Manufacturing CA certficates are added manually to Secure SRST

{{cucm-sec-srst1.png|}}
  * IP phone verifies received SRST certificate against the one in its configuration file
    * Not verify but just compare to the one in its configuration file
  * SRST checks received IP phone certificate signature by using public key of issuer (Cisco CA or CAPF).

{{cucm-sec-srst2.png|}}
  * Imports certificate from the Secure SRST gateway over the network.