Linksys SPA921 Cisco Small Business IP Telephony Devices Provisioning Guide - Page 23

Provisioning Cisco Small Business VoIP Devices Using HTTPS 1 Client Certificates In addition to a direct attack on an IP Telephony Device, an attacker might attempt to contact a provisioning server by using a standard web browser or other HTTPS client, to obtain the configuration profile from the provisioning server. To prevent this kind of attack, each IP Telephony Device also carries a unique client certificate, also signed by Cisco, including identifying information about each individual endpoint. A certificate authority root certificate capable of authenticating the device client certificate is given to each service provider. This authentication path allows the provisioning server to reject unauthorized requests for configuration profiles. Certificate Structure The combination of a server certificate and a client certificate ensures secure communication between a remote IP Telephony Device and its provisioning server. The "Certificate Authority Flow" figure illustrates the relationship and placement of certificates, public/private key pairs, and signing root authorities, among the Cisco client, the provisioning server, and the certification authority. The upper half of the diagram shows the Provisioning Server Root Authority, which is used to sign the individual provisioning server certificate. The corresponding root certificate is compiled into the firmware, allowing the IP Telephony Device to authenticate authorized provisioning servers. Cisco Small Business IP Telephony Devices Provisioning Guide 21