non-authorized servers. On the other hand, the client certificate allows the provisioning server to identify the
individual device that issues the request.
For a service provider to manage deployment by using HTTPS, a server certificate must be generated for each
provisioning server to which a phone resyncs by using HTTPS. The server certificate must be signed by the
Cisco Server CA Root Key, whose certificate is carried by all deployed units. To obtain a signed server
certificate, the service provider must forward a certificate signing request to Cisco, which signs and returns
the server certificate for installation on the provisioning server.
The provisioning server certificate must contain the Common Name (CN) field, and the FQDN of the host
running the server in the subject. It might optionally contain information following the host FQDN, separated
by a slash (/) character. The following examples are of CN entries that are accepted as valid by the phone:
CN=sprov.callme.com
CN=pv.telco.net/mailto:admin@telco.net
CN=prof.voice.com/info@voice.com
In addition to verifying the server certificate, the phone tests the server IP address against a DNS lookup of
the server name that is specified in the server certificate.
Get a Signed Server Certificate
The OpenSSL utility can generate a certificate signing request. The following example shows the openssl
command that produces a 1024-bit RSA public/private key pair and a certificate signing request:
openssl req –new –out provserver.csr
This command generates the server private key in privkey.pem and a corresponding certificate signing
request in provserver.csr. The service provider keeps the privkey.pem secret and submits
provserver.csr to Cisco for signing. Upon receiving the provserver.csr file, Cisco generates
provserver.crt, the signed server certificate.
Procedure
Step 1 Navigate to https://software.cisco.com/software/cda/home and log in with your CCO credentials.
When a phone connects to a network for the first time or after a factory reset, and there are no DHCP
options set up, it contacts a device activation server for zero touch provisioning. New phones use
“activate.cisco.com” instead of “webapps.cisco.com” for provisioning. Phones with firmware release
earlier than 11.2(1) continues to use “webapps.cisco.com”. We recommend that you allow both the
domain names through your firewall.
Note
Step 2 Select Certificate Management.
On the Sign CSR tab, the CSR of the previous step is uploaded for signing.
Step 3 From the Select Product drop-down list box, select SPA1xx firmware 1.3.3 and newer/SPA232D firmware
1.3.3 and newer/SPA5xx firmware 7.5.6 and newer/CP-78xx-3PCC/CP-88xx-3PCC.
Step 4 In the CSR File field, click Browse and select the CSR for signing.
Step 5 Select the encryption method:
Cisco IP Phone 8800 Series Multiplatform Phone Administration Guide for Release 11.3(1) and Later
123
Cisco IP Phone Configuration
Get a Signed Server Certificate
To Next Page
Loading...
Need help?
General
