Cisco SPA901-UK Provisioning Guide - Page 24
HTTPS, following example shows - www ca
UPC - 745883570751
View all Cisco SPA901-UK manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 24 highlights
Provisioning Cisco Small Business VoIP Devices Provisioning Setup 1 HTTPS For increased security managing remotely deployed units, the IP Telephony device supports HTTPS for provisioning. Each newly manufactured IP Telephony device carries a unique SLL Client Certificate (and associated private key), in addition to a Sipura CA server root certificate. The latter allows the IP Telephony device to recognize authorized provisioning servers, and reject non-authorized servers. On the other hand, the client certificate allows the provisioning server to identify the individual device that issues the request. For a service provider to manage deployment by using HTTPS, a server certificate must be generated for each provisioning server to which the IP Telephony device resyncs by using HTTPS. The server certificate must be signed by the Cisco Server CA Root Key, whose certificate is carried by all deployed units. To obtain a signed server certificate, the service provider must forward a certificate signing request to Cisco, which signs and returns the server certificate for installation on the provisioning server. The provisioning server certificate must contain in the subject, the Common Name (CN) field, and the FQDN of the host running the server. It might optionally contain additional information following the host FQDN, separated by a slash (/) character. The following examples are of CN entries that are accepted as valid by the IP Telephony device: CN=sprov.callme.com CN=pv.telco.net/mailto:[email protected] CN=prof.voice.com/[email protected] In addition to verifying the server certificate, the IP Telephony device tests the server IP address against a DNS lookup of the server name specified in the server certificate. A certificate signing request can be generated using the OpenSSL utility. The following example shows the openssl command that produces a 1024-bit RSA public/private key pair and a certificate signing request: openssl req -new -out provserver.csr This command generates the server private key in privkey.pem and a corresponding certificate signing request in provserver.csr. In this example, the service provider keeps the privkey.pem secret and submits provserver.csr to Cisco for signing. Upon receiving the provserver.csr file, Cisco generates provserver.crt; the signed server certificate. Cisco Small Business IP Telephony Devices Provisioning Guide 23