eduardo:cisco:cucm:cucm-pki
Table of Contents
Public Key Infrastructure (PKI)
- CUCM services certificates are self-signed. This includes:
- CallManager certificate
- TFTP server certificate
- Certificate Authority Proxy Function (CAPF) certficate
- Manufacturing installed certificates (MICs) on Cisco 797x, 7961/5, 7941/5, 7911 models are signed by Cisco manufacturing CA
- Locally signed certificates (LSCs) on support Cisco IP phone models (including the ones that support MICs) are signed by CAPF or by an external CA
- For 7940 or 7960 (SCCP only)
- If both LSC and MIC are presence, the LSC has higher priority
- Secure SRST certificate is signed by external CA
CTL Client
- Therefore there are multiple independent PKI topologies
- All need to be known and trusted
- Certificate Trust List (CTL) contains all of these certificates and allows for verification of roots
- list of certifiates issuers that a Cisco IP phone need to trust
- Created by CTL client
- Signed by the CTL client using a Security Token
- At least two are requires for redundancy
- Acts as an authorization list that specifies which certificates belong to which function (CAPF, CM, TFTP and Cisco CTL Client).
- When to use the CTL client
- Initial activation of PKI
- Deactivate PKI
- Changes to the CUCM or TFTP server
- Add or remove
- Rename
- Change IP or certificates
- After replacing or restoring
- Adding/removing a security token
- Add all the certificates including its own CTL Client certificate to the CTL.
- Initial CTL download
- This is insecure during the initial download as the phone does not have a CTL yet and will trust everyone.
- Subsequent download can be verified by the CTL client certificate (public key)
CTL Usages
- Encrypted Signaling
- SCCP or SIP over TLS
- Certificate-based two-way authentication between IP phone and CUCM
- IP Phone verifies self-signed CUCM certificate against Cisco CTL
- LSC enrollment
- Protected by TLS
- Certificate-based authentication of CAPF to IP phone
- IP phone verifies self-signed CAPF certificates against Cisco CTL
- Signed IP phone configuration files
- TFTP file is signed by private key of TFTP server
- IP phone needs to know authentic public key of TFTP server which is in the CTL
- Signed Cisco CTL file
- Verify subsequent update to CTL file.
- Cisco CTL file is signed by Cisco CTL client using the private key of one of its security tokens
- Corresponding public key must be known in current Cisco CTL
Configuration
Security Services
- Enable security services:
- Cisco CTL Provider on all servers in the cluster running the CUCM service or TFTP service
- CAPF (if LSC are deployed) on the publisher only
CTL Client
- CTL client is installed from CUCM Install Plugins
- Install on Windows PC with USB port
- Smart Card service has to be activated
- Plug the Security Token into the USB port
- Use the Cisco CTL client to activate security options:
- Activate mixed mode
- Create/Update a signed CTL
Install Device Certificate
- Configure devices for security
- If Using MICs, nothing to do as it is pre-installed
- To deploy LSCs into IP Phone under Device > Phones
- Four possible operations
- Install/Upgrade
- Delete
- Troubleshoot
- Let us retrieve all the existing IP phones certificates and store in the CAPF trace file
- No Pending Operation
- Four possible authentication modes - denotes how the certificate is installed.
- Authentication String (default)
- IP phone user to manually install the LSC
- Null String
- Disable the IP phone authentication for the download of the certificate
- Existing LSC
- Existing MIC
- In the above example
- Reset the IP Phone
- The user initiates installation of certificate from IP phone Setting menu
- The user has to enter the authentication string (after a prompt)
- If successful, the certificate is issued.
- Set device security mode (authenticated or encrypted)
- Enable configuration file encryption (if used).
CAPF Service Parameters
eduardo/cisco/cucm/cucm-pki.txt · Last modified: 2024/02/23 08:20 by 127.0.0.1