Home » Cisco Manuals » Telephony » Cisco 521SG » Manual Viewer

Cisco 521SG Administration Guide - Page 159

Client Certificates, Obtaining a Server Certificate

UPC - 882658248993

Add to My Manuals
Save this manual to your list of manuals

Page 159 highlights

Provisioning Using HTTPS 6 Client Certificates In addition to a direct attack on the Cisco IP phone, an attacker might attempt to contact a provisioning server using a standard web browser, or other HTTPS client, to obtain the Cisco IP phone configuration profile from the provisioning server. To prevent this kind of attack, each Cisco IP phone also carries a unique client certificate, also signed by Cisco, including identifying information about each individual endpoint. A certificate authority root certificate capable of authenticating the device client certificate is given to each service provider. This authentication path allows the provisioning server to reject unauthorized requests for configuration profiles. Obtaining a Server Certificate To obtain a server certificate: STEP 1 Contact a Cisco support person who will work with you on the certificate process. If you are not working with a specific support person, you can email your request to [email protected].) STEP 2 Generate a private key that will be used in a CSR (Certificate Signing Request). This key is private and you do not need to provide this key to Cisco support. Use open source "openssl" to generate the key. For example: openssl genrsa -out 1024 STEP 3 Generate CSR a that contains fields that identify your organization, and location. For example: openssl req -new -key -out You must have the following information: • Subject field-Enter the Common Name (CN) that must be a FQDN (Fully Qualified Domain Name) syntax. During SSL authentication handshake, the SPA 9000 verifies that the certificate it receives is from the machine that presented it. • Server's hostname-For example, provserv.domain.com. • Email address-Enter an email address so that customer support can contact you if needed. This email address is visible in the CSR. Cisco Small Business SPA300 Series, SPA500 Series, and WIP310 IP Phone Administration Guide 158

Section	Page
Getting Started	12
Overview of the Phones	13
Cisco Attendant Console	13
Network Configurations	14
Cisco SPA9000 Voice System	15
Cisco Unified Communications 500 Series for Small Business	15
Other SIP IP PBX Call Control Systems	15
Updating Firmware	16
Determining the Firmware Version	17
Determining the IP Address of the Phone	18
Downloading the Firmware	19
Installing the Firmware	19
Using the Web-Based Configuration Utility	20
Allowing Web Access to the IP Phone	21
Saving the Configuration Profile	23
Understanding Administrator and User Views	23
Restricting User Access to the Phone Interface Menus (Cisco SPA300 and Cisco SPA500 Series)	24
Accessing Administrative Options	24
Using the Web Administration Tabs	24
Viewing Phone Information	25
Viewing Reboot Reasons	25
Using IVR on IP Phones Without Screens	27
Ensuring Voice Quality	31
Supported Codecs	31
Bandwidth Requirements	32
Factors Affecting Voice Quality	33
SIP Publish Signaling Improvements	35
Configuring Lines	37
Configuring a Line Key	38
Configuring Shared-Line Appearance	38
Configuring Call Appearance Per Line	41
Configuring Unused Line Keys to Access Services	42
Configuring Call Park on the Cisco SPA525G or Cisco SPA525G2 (MetaSwitch)	43
Assigning Busy Lamp Field, Call Pickup, or Speed Dial Functions to Unused Lines	44
Configuring Call Pickup and Busy Lamp Field	45
Configuring Speed Dial	46
Configuring Audio Indication for Call Pickup Event	47
Customizing Standard Features	48
Configuring Phone Information and Display Settings	49
Configuring the Phone Name	49
Configuring Voice Mail	49
Customizing the Startup Screen	50
Changing the Display Background	51
Configuring the Screen Saver	52
Configuring the LCD Contrast	54
Configuring Back Light Settings (Cisco SPA525G or Cisco SPA525G2)	54
Configuring Linksys Key System Parameters	55
Enabling Call Features	56
Enabling Anonymous Call and Caller ID Blocking Services	56
Enabling ACD Service	56
Enabling Call Back Service	56
Enabling Call Park and Call Pickup Services	57
Enabling Call Transfer and Call Forwarding Services	57
Enabling Conferencing	58
Enabling Do Not Disturb	58
Enabling the Missed Call Shortcut	58
Logging Missed Calls	58
Enabling Paging (Intercom)	59
Enabling Service Announcements	61
Customizing Phone Softkeys	61
Programmable Softkeys	66
Configuring the Message Waiting Indicator	68
Configuring Ring Tones	69
Configuring On-Demand Ring Tones (Cisco SPA525G or Cisco SPA525G2)	70
User-Created MP3 Ring Tones (Cisco SPA525G or Cisco SPA525G2)	71
Creating and Uploading Ring Tones Using the Ring Tone Utility (Cisco SPA300 Series and Cisco SPA500 Series only)	71
Assigning a Ring Tone to an Extension	73
Configuring RSS Newsfeeds (Cisco SPA525G or Cisco SPA525G2)	74
Configuring Audio Settings	75
Configuring Audio Input Gain (Cisco SPA300 Series and Cisco SPA500 Series)	76
Enabling Wireless (Cisco SPA525G or Cisco SPA525G2 only)	76
Configuring Bluetooth (Cisco SPA525G or Cisco SPA525G2 only)	77
Enabling Bluetooth from the Web Interface	77
Enabling Bluetooth from the Phone	77
Pairing a Bluetooth Headset	78
Pairing Your Cisco SPA525G2 with a Bluetooth-Enabled Mobile Phone	79
Enabling SMS Messaging	82
Enabling and Configuring the Phone Web Server	83
Configure the Web Server from the Phone Web Interface	83
Configure the Web Server from the Phone Screen Interface	84
Configuring LDAP for the Cisco SPA300 Series and Cisco SPA500 Series IP Phones	84
Configuring BroadSoft Settings (Cisco SPA300 Series and Cisco SPA500 Series)	89
Configuring BroadSoft Directory	89
Configuring Synchronization of Do Not Disturb and Call Forward on a Per Line Basis (Applicable to Broadsoft)	90
Configuring Broadsoft ACD Support	91
Configuring XML Services	92
Configuring Music On Hold	95
Configuring Extension Mobility	95
Configuring Video Surveillance (Cisco SPA525G or Cisco SPA525G2)	96
Configuring the User Name and Account on the Camera	97
Entering Camera Information Into the Cisco SPA525G or Cisco SPA525G2 Configuration Utility	97
Viewing the Video	98
Configuring SIP, SPCP, and NAT	99
SIP and Cisco IP Phones	99
SIP Over TCP	101
SIP Proxy Redundancy	101
RFC3311 Support	102
Support for SIP NOTIFY XML-Service	102
Configuring SIP	103
Configuring Basic SIP Parameters	103
Configuring SIP Timer Values	107
Configuring Response Status Code Handling	110
Configuring RTP Parameters	110
Configuring SDP Payload Types	112
Configuring SIP Settings for Extensions	115
Configuring the IP Phone Communications Protocol	124
Configuring the Protocol on a Cisco SPA525G or Cisco SPA525G2	125
Configuring the Protocol on a Cisco SPA300 Series or Cisco SPA500 Series IP Phone	125
Managing NAT Transversal with Cisco IP Phones	125
NAT Mapping with Session Border Controller	126
NAT Mapping with SIP-ALG Router	126
NAT Mapping with a Static IP Address	126
NAT Mapping with STUN	127
Configuring Security, Quality, and Network Features	130
Setting Security Features	131
Challenging SIP Initial INVITE and MWI Messages	131
Encrypting Signaling with SIP Over TLS	131
Securing Voice Traffic with SRTP	132
Configuring Voice Codecs	133
Configuring Domain and Internet Settings	137
Configuring Restricted Access Domains	137
Configuring DHCP, Static IP, or PPPoE Connection Type	137
Setting Optional Network Servers	139
Configuring VLAN Settings	141
Configuring Cisco Discovery Protocol (CDP)	141
Configuring LLDP-MED	141
Configuring the VLAN Settings	149
Configuring SSL VPN on the Cisco SPA525G or Cisco SPA525G2	151
Configuring the VPN on the Security Appliance	152
Configuring the VPN on the Cisco SPA525G or Cisco SPA525G2	152
Provisioning	155
Redundant Provisioning Servers	156
Retail Provisioning	156
Automatic In-House Preprovisioning	157
Using HTTPS	158
Server Certificates	158
Client Certificates	159
Obtaining a Server Certificate	159
Manually Provisioning a Phone from the Keypad	160
Sample Configuration File	161
Updating Profiles and Firmware	162
Launch a Firmware Update by using a Browser Command	167
Launch a Profile Update by using a Browser Command	168
Rebooting a Phone by using a Browser Command	168
Configuring a Custom Certificate Authority	169
General Purpose Parameters	169
Using TR-069	170
Configuring Regional Parameters and Supplementary Services	173
Scripting for Cadences, Call Progress Tones, and Ring Tones	174
Cadence Script	174
Tone Script	175
Ring Script	177
Call Progress Tones	178
Distinctive Ring Patterns	178
Example 1: Normal Ring	178
Example 2: Distinctive Ring (short, short, short, long)	179
Distinctive Call Waiting Tone	179
Control Timer Values (sec)	180
Configuring Supplementary Services (Star Codes)	181
Entering Star Code Values	181
Activating or Deactivating Supplementary Services	185
Vertical Service Announcement Codes (Cisco SPA300 Series and Cisco SPA500 Series)	186
Bonus Services Announcement Description	186
Outbound Call Codec Selection Codes	188
Miscellaneous Parameters	188
DTMF Parameters	188
Localizing Your IP Phone	189
Managing the Time and Date	190
Configuring Daylight Saving Time	191
Selecting a Display Language	193
Creating a Dictionary Server Script	193
Configuring Dial Plans	195
About Dial Plans	195
Digit Sequences	196
Digit Sequence Examples	199
Acceptance and Transmission of the Dialed Digits	201
Dial Plan Timer (Off-Hook Timer)	202
Interdigit Long Timer (Incomplete Entry Timer)	203
Interdigit Short Timer (Complete Entry Timer)	204
Editing Dial Plans on the IP Phone	205
Resetting the Control Timers	206
Configuring LED Patterns	207
LED Script Examples	210
LED Pattern	210
Cisco SPA IP Phone Field Reference	212
Info Tab	213
System Information	213
Network Configuration (SPCP)	216
VPN Status (Cisco SPA525G or Cisco SPA525G2 Only)	217
Product Information	217
Phone Status	218
Ext Status	219
Line/Call Status	220
Downloaded Ring Tone	222
System Tab	223
System Configuration	223
Internet Connection Type and Static IP Settings	225
Power Settings (Cisco SPA500 Series or Cisco SPA300 Series Only)	226
PPPoE Settings (Cisco SPA525G or Cisco SPA525G2 Only)	226
Optional Network Configuration	227
VLAN Settings	228
Wi-Fi Settings (Cisco SPA525G or Cisco SPA525G2 Only)	230
Bluetooth Settings (Cisco SPA525G or Cisco SPA525G2 Only)	230
VPN Settings (Cisco SPA525G or Cisco SPA525G2 Only)	230
SIP Tab	231
SIP Parameters	231
SIP Timer Values (sec)	236
Response Status Code Handling	239
RTP Parameters	240
SDP Payload Types	242
NAT Support Parameters	245
Linksys Key System Parameters	248
Provisioning Tab	249
Regional Tab	249
Call Progress Tone Description	249
Distinctive Ring Patterns	253
Control Timer Values (sec)	255
Vertical Service Activation Codes	256
Vertical Service Announcement Codes	261
Outbound Call Codec Selection Codes	262
Time (Cisco SPA525G or Cisco SPA525G2 Only)	265
Language (Cisco SPA525G or Cisco SPA525G2 Only)	266
Miscellaneous	266
Phone Tab	271
General	271
Line Key	274
Miscellaneous Line Key Settings	276
Line Key LED Pattern	277
Supplementary Services	279
Ring Tone (Cisco SPA300 Series and Cisco SPA500 Series)	281
Ring Tone (Cisco WIP310)	282
Auto Input Gain (dB)	283
Multiple Paging Group Parameters	284
BroadSoft Settings	285
LDAP Corporate Directory Search	286
XML Service	290
Extension Mobility	290
Programmable Softkeys	291
Ext Tab	292
General	293
Share Line Appearance	293
NAT Settings	294
Network Settings	295
SIP Settings	296
Call Feature Settings	300
Proxy and Registration	303
Subscriber Information	306
Audio Configuration	307
Dial Plan Script	311
User Tab	313
Call Forward	313
Speed Dial	313
Supplementary Services	314
Camera Settings (Cisco SPA525G or Cisco SPA525G2)	314
Web Information Service Settings (Cisco SPA525G or Cisco SPA525G2)	314
Audio Volume	314
Screen (Cisco SPA525G or Cisco SPA525G2)	315
Attendant Console Tab (Cisco SPA500 Series)	317
General	317
Attendant Console Status	319
Cisco SPA525G or Cisco SPA525G2-Specific Tabs	320
Wi-Fi	320
Bluetooth	320
Personal Address Book	322
Call History	322
Speed Dials	322
Firmware Upgrade	322

Match case Limit results 1 per page

Provisioning

Using HTTPS

Cisco Small Business SPA300 Series, SPA500 Series, and WIP310 IP Phone Administration Guide

158

Client Certificates

In addition to a direct attack on the Cisco IP phone, an attacker might attempt to

contact a provisioning server using a standard web browser, or other HTTPS

client, to obtain the Cisco IP phone configuration profile from the provisioning

server. To prevent this kind of attack, each Cisco IP phone also carries a unique

client certificate, also signed by Cisco, including identifying information about

each individual endpoint. A certificate authority root certificate capable of

authenticating the device client certificate is given to each service provider. This

authentication path allows the provisioning server to reject unauthorized requests

for configuration profiles.

Obtaining a Server Certificate

To obtain a server certificate:

STEP 1

Contact a Cisco support person who will work with you on the certificate process.

If you are not working with a specific support person, you can email your request

to [email protected].)

STEP

Generate a private key that will be used in a CSR (Certificate Signing Request).

This key is private and you do not need to provide this key to Cisco support. Use

open source “openssl” to generate the key. For example:

openssl genrsa -out <file.key> 1024

STEP

Generate CSR a that contains fields that identify your organization, and location.

For example:

openssl req -new -key <file.key> -out <file.csr>

You must have the following information:

•

Subject field—Enter the Common Name (CN) that must be a FQDN (Fully

Qualified Domain Name) syntax. During SSL authentication handshake, the

SPA 9000 verifies that the certificate it receives is from the machine that

presented it.

•

Server's hostname—For example, provserv.domain.com.

•

Email address—Enter an email address so that customer support can

contact you if needed. This email address is visible in the CSR.