Linksys SPA921 Cisco Small Business IP Telephony Devices Provisioning Guide - Page 28
Enabling HTTPS, openssl
UPC - 745883570799
View all Linksys SPA921 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 28 highlights
Provisioning Cisco Small Business VoIP Devices Provisioning Setup 1 Enabling HTTPS For increased security managing remotely deployed units, the IP Telephony Device supports HTTPS for provisioning. To this end, each newly manufactured IP Telephony Device carries a unique SLL Client Certificate (and associated private key), in addition to a Sipura CA server root certificate. The latter allows the IP Telephony Device to recognize authorized provisioning servers, and reject nonauthorized servers. On the other hand, the client certificate allows the provisioning server to identify the individual device that issues the request. In order for a service provider to manage deployment by using HTTPS, a server certificate needs to be generated for each provisioning server to which the IP Telephony Device resyncs using HTTPS. The server certificate must be signed by the Cisco Server CA Root Key, whose certificate is carried by all deployed units. To obtain a signed server certificate, the service provider must forward a certificate signing request to Cisco, which signs and returns the server certificate for installation on the provisioning server. The provisioning server certificate must contain in the subject Common Name (CN field) the FQDN of the host running the server. It may optionally contain additional information following the host FQDN, separated by a / character. The following are examples of CN entries that would be accepted as valid by the IP Telephony Device: CN=sprov.callme.com CN=pv.telco.net/mailto:[email protected] CN=prof.voice.com/[email protected] In addition to verifying the server certificate, the IP Telephony Device tests the server IP address against a DNS lookup of the server name specified in the server certificate. A certificate signing request can be generated using the OpenSSL utility. The following shows an example of the openssl command that produces a 1024-bit RSA public/private key pair and a certificate signing request: openssl req -new -out provserver.csr This command generates the server private key in privkey.pem and a corresponding certificate signing request in provserver.csr. In this example, the service provider keeps privkey.pem secret and submits provserver.csr to Cisco for signing. Upon receiving the provserver.csr file, Cisco generates provserver.crt, the signed server certificate. Cisco Small Business IP Telephony Devices Provisioning Guide 26