Cisco SPA901-UK Provisioning Guide - Page 24

HTTPS, following example shows - www ca

Get Cisco SPA901-UK - Small Business Pro PDF manuals and user guides
UPC - 745883570751
View all Cisco SPA901-UK manuals
Add to My Manuals
Save this manual to your list of manuals

Page 24 highlights

Provisioning Cisco Small Business VoIP Devices Provisioning Setup 1 HTTPS For increased security managing remotely deployed units, the IP Telephony device supports HTTPS for provisioning. Each newly manufactured IP Telephony device carries a unique SLL Client Certificate (and associated private key), in addition to a Sipura CA server root certificate. The latter allows the IP Telephony device to recognize authorized provisioning servers, and reject non-authorized servers. On the other hand, the client certificate allows the provisioning server to identify the individual device that issues the request. For a service provider to manage deployment by using HTTPS, a server certificate must be generated for each provisioning server to which the IP Telephony device resyncs by using HTTPS. The server certificate must be signed by the Cisco Server CA Root Key, whose certificate is carried by all deployed units. To obtain a signed server certificate, the service provider must forward a certificate signing request to Cisco, which signs and returns the server certificate for installation on the provisioning server. The provisioning server certificate must contain in the subject, the Common Name (CN) field, and the FQDN of the host running the server. It might optionally contain additional information following the host FQDN, separated by a slash (/) character. The following examples are of CN entries that are accepted as valid by the IP Telephony device: CN=sprov.callme.com CN=pv.telco.net/mailto:[email protected] CN=prof.voice.com/[email protected] In addition to verifying the server certificate, the IP Telephony device tests the server IP address against a DNS lookup of the server name specified in the server certificate. A certificate signing request can be generated using the OpenSSL utility. The following example shows the openssl command that produces a 1024-bit RSA public/private key pair and a certificate signing request: openssl req -new -out provserver.csr This command generates the server private key in privkey.pem and a corresponding certificate signing request in provserver.csr. In this example, the service provider keeps the privkey.pem secret and submits provserver.csr to Cisco for signing. Upon receiving the provserver.csr file, Cisco generates provserver.crt; the signed server certificate. Cisco Small Business IP Telephony Devices Provisioning Guide 23

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
Provisioning Cisco Small Business VoIP Devices
Provisioning Setup
Cisco Small Business IP Telephony Devices Provisioning Guide
23
1
HTTPS
For increased security managing remotely deployed units, the IP Telephony
device supports HTTPS for provisioning. Each newly manufactured IP Telephony
device carries a unique SLL Client Certificate (and associated private key), in
addition to a Sipura CA server root certificate. The latter allows the IP Telephony
device to recognize authorized provisioning servers, and reject non-authorized
servers. On the other hand, the client certificate allows the provisioning server to
identify the individual device that issues the request.
For a service provider to manage deployment by using HTTPS, a server certificate
must be generated for each provisioning server to which the IP Telephony device
resyncs by using HTTPS. The server certificate must be signed by the Cisco
Server CA Root Key, whose certificate is carried by all deployed units. To obtain a
signed server certificate, the service provider must forward a certificate signing
request to Cisco, which signs and returns the server certificate for installation on
the provisioning server.
The provisioning server certificate must contain in the subject, the Common Name
(CN) field, and the FQDN of the host running the server. It might optionally contain
additional information following the host FQDN, separated by a slash (/) character.
The following examples are of CN entries that are accepted as valid by the IP
Telephony device:
CN=sprov.callme.com
CN=pv.telco.net/mailto:[email protected]
CN=prof.voice.com/[email protected]
In addition to verifying the server certificate, the IP Telephony device tests the
server IP address against a DNS lookup of the server name specified in the server
certificate.
A certificate signing request can be generated using the OpenSSL utility. The
following example shows the
openssl
command that produces a 1024-bit RSA
public/private key pair and a certificate signing request:
openssl req –new –out provserver.csr
This command generates the server private key in
privkey.pem
and a
corresponding certificate signing request in
provserver.csr
. In this example, the
service provider keeps the
privkey.pem
secret and submits
provserver.csr
to
Cisco for signing. Upon receiving the
provserver.csr
file, Cisco generates
provserver.crt
; the signed server certificate.