Cisco SPA2102-AU Provisioning Guide - Page 23
Enabling HTTPS - firmware upgrade
View all Cisco SPA2102-AU manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 23 highlights
Chapter 1 Provisioning Linksys VoIP Devices For example, the following is the User-Agent request field from a SPA2102: User-Agent: Linksys/SPA-2102-2.0.5 (88012BA01234) Provisioning Setup Enabling HTTPS For increased security managing remotely deployed units, the SPA supports HTTPS for provisioning. To this end, each newly manufactured SPA carries a unique SLL Client Certificate (and associated private key), in addition to a Linksys CA server root certificate. The latter allow the SPA to recognize authorized provisioning servers, and reject non-authorized servers. On the other hand, the client certificate allows the provisioning server to identify the individual SPA issuing the request. In order for a service provider to manage SPA deployment using HTTPS, a server certificate needs to be generated for each provisioning server to which the SPA resyncs using HTTPS. The server certificate must be signed by the Linksys Server CA Root Key, whose certificate is carried by all deployed units. To obtain a signed server certificate, the service provider must forward a certificate signing request to Linksys, which signs and returns the server certificate for installation on the provisioning server. The provisioning server certificate must contain in the subject Common Name (CN field) the FQDN of the host running the server. It may optionally contain additional information following the host FQDN, separated by a / character. The following are examples of CN entries that would be accepted as valid by the SPA: CN=sprov.callme.com CN=pv.telco.net/mailto:[email protected] CN=prof.voice.com/[email protected] In addition to verifying the certificate chain of the provisioning server certificate, the SPA tests the server IP address against a DNS lookup of the server name specified in the server certificate. A certificate signing request can be generated using the OpenSSL utility. The following shows an example of the openssl command that produces a 1024-bit RSA public/private key pair and a certificate signing request: openssl req -new -out provserver.csr This command generates the server private key in privkey.pem and a corresponding certificate signing request in provserver.csr. In this example, the service provider keeps privkey.pem secret and submits provserver.csr to Linksys for signing. Upon receiving the provserver.csr file, Linksys generates provserver.crt, the signed server certificate. In addition, Linksys also provides a Linksys CA Client Root Certificate to the service provider. This root certificate certifies the authenticity of the client certificate carried by each SPA. The unique client certificate offered by each SPA during an HTTPS session carries identifying information embedded in its subject field. This information can be made available by the HTTPS server to a CGI script invoked to handle secure requests. In particular, the certificate subject indicates the unit product name (OU element), MAC address (S element), and serial number (L element). The following is an example of these elements from a SPA2102 client certificate subject field: OU=SPA-2102, L=88012BA01234, S=000e08abcdef Early SPA units, manufactured before firmware 2.0.x, do not contain individual SSL client certificates. When these units are upgraded to a firmware release in the 2.0.x tree, they become capable of connecting to a secure server using HTTPS, but are only able to supply a generic client certificate if requested to do so by the server. This generic certificate contains the following information in the SPA identifying fields: OU=Linksys.com, L=Linksysgeneric, S=Linksysgeneric Version 3.0 Linksys SPA Provisioning Guide 1-13