Secure SRST
- Allows IP phones to use TLS signaling and SRTP media during SRST mode
- Prevents impersonation of SRST gateway and IP Phones
- Prevents falsification and eavesdropping
- The SRST certificate must be obtained from an external CA
- This can even be an IOS router running the CA on the same SRST router
- Trust relationship
- IP Phones must be able to verify the Secure SRST Gateway
- Secure SRST certificate is NOT Verified by its signature (using the public key of issuing CA)
- Therefore we don't need to upload the CA certificate to CUCM only the SRST certificate
- The SRST certificate is obtained by CUCM at configuration time (using the credential service at the gateway)
- CUCM adds received certificate to phone configuration files
- Secure SRST Gateway must be able to verify the IP phones
- IP phone certificates is Verified using the CAPF or Cisco CA certificate
- CAPF and Cisco Manufacturing CA certficates are added manually to Secure SRST
- IP phone verifies received SRST certificate against the one in its configuration file
- Not verify but just compare to the one in its configuration file
- SRST checks received IP phone certificate signature by using public key of issuer (Cisco CA or CAPF).
- Imports certificate from the Secure SRST gateway over the network.