Home » Cisco Manuals » Telephony » Cisco SPA901-UK » Manual Viewer

Cisco SPA901-UK Provisioning Guide - Page 19

Client Certificates, Certificate Structure, Provisioning Cisco Small Business VoIP Devices

UPC - 745883570751

Add to My Manuals
Save this manual to your list of manuals

Page 19 highlights

Provisioning Cisco Small Business VoIP Devices Using HTTPS 1 Client Certificates In addition to a direct attack on an IP Telephony device, an attacker might attempt to contact a provisioning server by using a standard web browser or another HTTPS client to obtain the configuration profile from the provisioning server. To prevent this kind of attack, each IP Telephony device also carries a unique client certificate, also signed by Cisco, including identifying information about each individual endpoint. A certificate authority root certificate capable of authenticating the device client certificate is given to each service provider. This authentication path allows the provisioning server to reject unauthorized requests for configuration profiles. Certificate Structure The combination of a server certificate and a client certificate ensures secure communication between a remote IP Telephony device and its provisioning server. The Certificate Authority Flow figure illustrates the relationship and placement of certificates, public/private key pairs, and signing root authorities, among the Cisco client, the provisioning server, and the certification authority. The upper half of the diagram shows the Provisioning Server Root Authority that is used to sign the individual provisioning server certificate. The corresponding root certificate is compiled into the firmware, allowing the IP Telephony device to authenticate authorized provisioning servers. Cisco Small Business IP Telephony Devices Provisioning Guide 18

Section	Page
Provisioning Cisco Small Business VoIP Devices	8
Small Business and Residential Deployment Provisioning	8
Remote Endpoint Control and NAT	9
Communication Encryption	9
Provisioning Overview	10
Remote Firmware Upgrade	10
Initial Provisioning	11
Deploying RC Units	11
Redundant Provisioning Servers	12
Retail Provisioning	12
Automatic In-House Preprovisioning	13
Configuration Access Control	14
Configuration Profiles	14
Provisioning States	16
Using HTTPS	17
How HTTPS Works	18
Server Certificate	18
Client Certificates	19
Certificate Structure	19
Provisioning Setup	21
Software Tools	21
Server Configuration	22
HTTPS	24
Syslog Server	26
Where to Go From Here	27
Creating Provisioning Scripts	28
Configuration Profile and the SIP Profile Compiler	29
Open Format Configuration File	29
Element Tags, Attributes, Parameters, and Formatting	30
Configuration File Compression	34
File Encryption	35
Encrypting a File with the SPC	36
Generic	36
Targeted	37
Explicit Key	37
Status Messages	38
Sample Configuration File	38
Proprietary Plain-Text Configuration File	38
Source Text Syntax	39
Comments	41
Macro Expansion	41
Conditional Expressions	42
Assignment Expressions	44
URL Syntax	45
Optional Resync Arguments	46
Using Provisioning Parameters	48
General Purpose Parameters	49
Enables	49
Triggers	50
Configurable Schedules	51
Profile Rules	52
Report Rule	54
Upgrade Rule	56
Data Types	57
Provisioning Tutorial	62
Preparation	62
Basic Resync	63
TFTP Resync	64
Logging with syslog	65
Automatic Resync	66
Unique Profiles and Macro Expansion	68
URL Resolution	69
HTTP GET Resync	70
Secure Resync	71
Basic HTTPS Resync	71
HTTPS With Client Certificate Authentication	73
HTTPS Client Filtering and Dynamic Content	74
Profile Formats	76
Profile Compression	76
Profile Encryption	77
Partitioned Profiles	78
Parameter Name Aliases	79
Proprietary Profile Format	80
Provisioning Field Reference	82
Configuration Profile Parameters	83
Firmware Upgrade Parameters	88
General Purpose Parameters	89
Macro Expansion Variables	90
Internal Error Codes	93
Example Configuration Profile	94
Acronyms	108

Match case Limit results 1 per page

Provisioning Cisco Small Business VoIP Devices

Using HTTPS

Cisco Small Business IP Telephony Devices Provisioning Guide

Client Certificates

In addition to a direct attack on an IP Telephony device, an attacker might attempt

to contact a provisioning server by using a standard web browser or another

HTTPS client to obtain the configuration profile from the provisioning server. To

prevent this kind of attack, each IP Telephony device also carries a unique client

certificate, also signed by Cisco, including identifying information about each

individual endpoint. A certificate authority root certificate capable of

authenticating the device client certificate is given to each service provider. This

authentication path allows the provisioning server to reject unauthorized requests

for configuration profiles.

Certificate Structure

The combination of a server certificate and a client certificate ensures secure

communication between a remote IP Telephony device and its provisioning server.

The

Certificate Authority Flow

figure illustrates the relationship and placement of

certificates, public/private key pairs, and signing root authorities, among the Cisco

client, the provisioning server, and the certification authority.

The upper half of the diagram shows the Provisioning Server Root Authority that is

used to sign the individual provisioning server certificate. The corresponding root

certificate is compiled into the firmware, allowing the IP Telephony device to

authenticate authorized provisioning servers.