Cisco SPA901-UK Provisioning Guide - Page 17

Provisioning Cisco Small Business VoIP Devices Using HTTPS 1 Flow Step SEC-PRV-1 Secure Provisioning-Initial Configuration SEC-PRV-2 Secure Provisioning-Full Configuration Step Description The initial device-unique CFG file is targeted to each IP Telephony device by compiling the CFG file with the spc -target option. This provides an initial level of encryption that does not require the exchange of keys. The initial device-unique CFG file reconfigures the profile parameters to enable stronger encryption by programming a 256-bit encryption key and pointing to a randomly-generated TFTP directory. For example, the CFG file might contain: Profile_Rule [--key $A] tftp.callme.com/profile/$B/ spa962.cfg; GPP_A 8e4ca259...; # 256 bit key GPP_B Gp3sqLn...; # random CFG file path directory Subsequent profile resync operations retrieve 256-bit encrypted CFG files that maintain the IP Telephony device in a state synchronized to the provisioning server. All remaining parameters are configured and maintained through this strongly encrypted profile. The encryption key and random directory location can be changed periodically for extra security. Using HTTPS The IP Telephony device provides a reliable and secure provisioning strategy based on HTTPS requests from the device to the provisioning server. Both a server certificate and a client certificate are used to authenticate the IP Telephony device to the server and the server to the IP Telephony device. To use HTTPS, you must generate a Certificate Signing Request (CSR) and submit it to Cisco. Cisco generates a certificate for installation on the provisioning server. The IP Telephony device accepts the certificate when it seeks to establish an HTTPS connection with the provisioning server. This procedure is described in the "HTTPS" section on page 26. Cisco Small Business IP Telephony Devices Provisioning Guide 16