This is used as the trusted introducer, bringing all the different PKI topologies together under on trusted source. It contains a list of trusted certficates e.g. CCM, TFTP, CAPF that is signed using the CTL certificates. The public and private keys of the Cisco CTL client are stored on a smart token called a security token, which is just a USB key plugged into the PC running the CTL client. The CTL client passes the CTL to the secure token to get it signed as it does not have direct access to the private and public key.

When an IP phone boots, the CTL is downloaded from the TFTP server to the IP Phone. The CTL is verfied using the CTL certificate from the previous CTL. This poses an issue for initial deployment on how to install the first CTL in the phone.