Cisco SPA901-UK Provisioning Guide - Page 25
In addition, Cisco provides a Sipura CA Client Root Certificate to the service
UPC - 745883570751
View all Cisco SPA901-UK manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 25 highlights
Provisioning Cisco Small Business VoIP Devices Provisioning Setup 1 In addition, Cisco provides a Sipura CA Client Root Certificate to the service provider. This root certificate certifies the authenticity of the client certificate carried by each IP Telephony device. The unique client certificate offered by each device during an HTTPS session carries identifying information embedded in its subject field. This information can be made available by the HTTPS server to a CGI script invoked to handle secure requests. In particular, the certificate subject indicates the unit product name (OU element), MAC address (S element), and serial number (L element). The following example from a SPA962 client certificate subject field shows these elements: OU=SPA-962, L=88012BA01234, S=000e08abcdef Early units, manufactured before firmware 2.0.x, do not contain individual SSL client certificates. When these units are upgraded to a firmware release in the 2.0.x tree, they become capable of connecting to a secure server using HTTPS, but are only able to supply a generic client certificate if requested to do so by the server. This generic certificate contains the following information in the identifying fields: OU=cisco.com, L=ciscogeneric, S=ciscogeneric To determine if an IP Telephony device carries an individualized certificate, use the $CCERT provisioning macro variable. The variable value expands to either Installed or Not Installed, according to the presence or absence of a unique client certificate. In the case of a generic certificate, it is possible to obtain the serial number of the unit from the HTTP request header in the User-Agent field. HTTPS servers can be configured to request SSL certificates from connecting clients. If enabled, the server can verify the client certificate by using the Sipura CA Client Root Certificate supplied by Cisco. It can then provide the certificate information to a CGI for further processing. The location for storing certificates might vary. For example, on an Apache installation, the file paths for storing the provisioning server-signed certificate, its associated private key, and the Sipura CA client root certificate are as follows: # Server Certificate: SSLCertificateFile /etc/httpd/conf/provserver.crt # Server Private Key: SSLCertificateKeyFile /etc/httpd/conf/provserver.key # Certificate Authority (CA): SSLCACertificateFile /etc/httpd/conf/spacroot.crt Cisco Small Business IP Telephony Devices Provisioning Guide 24