Linksys SPA921 Cisco Small Business IP Telephony Devices Provisioning Guide - Page 28

Enabling HTTPS, openssl

Get Linksys SPA921 - Cisco - IP Phone PDF manuals and user guides
UPC - 745883570799
View all Linksys SPA921 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 28 highlights

Provisioning Cisco Small Business VoIP Devices Provisioning Setup 1 Enabling HTTPS For increased security managing remotely deployed units, the IP Telephony Device supports HTTPS for provisioning. To this end, each newly manufactured IP Telephony Device carries a unique SLL Client Certificate (and associated private key), in addition to a Sipura CA server root certificate. The latter allows the IP Telephony Device to recognize authorized provisioning servers, and reject nonauthorized servers. On the other hand, the client certificate allows the provisioning server to identify the individual device that issues the request. In order for a service provider to manage deployment by using HTTPS, a server certificate needs to be generated for each provisioning server to which the IP Telephony Device resyncs using HTTPS. The server certificate must be signed by the Cisco Server CA Root Key, whose certificate is carried by all deployed units. To obtain a signed server certificate, the service provider must forward a certificate signing request to Cisco, which signs and returns the server certificate for installation on the provisioning server. The provisioning server certificate must contain in the subject Common Name (CN field) the FQDN of the host running the server. It may optionally contain additional information following the host FQDN, separated by a / character. The following are examples of CN entries that would be accepted as valid by the IP Telephony Device: CN=sprov.callme.com CN=pv.telco.net/mailto:[email protected] CN=prof.voice.com/[email protected] In addition to verifying the server certificate, the IP Telephony Device tests the server IP address against a DNS lookup of the server name specified in the server certificate. A certificate signing request can be generated using the OpenSSL utility. The following shows an example of the openssl command that produces a 1024-bit RSA public/private key pair and a certificate signing request: openssl req -new -out provserver.csr This command generates the server private key in privkey.pem and a corresponding certificate signing request in provserver.csr. In this example, the service provider keeps privkey.pem secret and submits provserver.csr to Cisco for signing. Upon receiving the provserver.csr file, Cisco generates provserver.crt, the signed server certificate. Cisco Small Business IP Telephony Devices Provisioning Guide 26

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
Provisioning Cisco Small Business VoIP Devices
Provisioning Setup
Cisco Small Business IP Telephony Devices Provisioning Guide
26
1
Enabling HTTPS
For increased security managing remotely deployed units, the IP Telephony
Device supports HTTPS for provisioning. To this end, each newly manufactured IP
Telephony Device carries a unique SLL Client Certificate (and associated private
key), in addition to a Sipura CA server root certificate. The latter allows the IP
Telephony Device to recognize authorized provisioning servers, and reject non-
authorized servers. On the other hand, the client certificate allows the provisioning
server to identify the individual device that issues the request.
In order for a service provider to manage deployment by using HTTPS, a server
certificate needs to be generated for each provisioning server to which the IP
Telephony Device resyncs using HTTPS. The server certificate must be signed by
the Cisco Server CA Root Key, whose certificate is carried by all deployed units.
To obtain a signed server certificate, the service provider must forward a
certificate signing request to Cisco, which signs and returns the server certificate
for installation on the provisioning server.
The provisioning server certificate must contain in the subject Common Name (CN
field) the FQDN of the host running the server. It may optionally contain additional
information following the host FQDN, separated by a / character. The following are
examples of CN entries that would be accepted as valid by the IP Telephony
Device:
CN=sprov.callme.com
CN=pv.telco.net/mailto:[email protected]
CN=prof.voice.com/[email protected]
In addition to verifying the server certificate, the IP Telephony Device tests the
server IP address against a DNS lookup of the server name specified in the server
certificate.
A certificate signing request can be generated using the OpenSSL utility. The
following shows an example of the
openssl
command that produces a 1024-bit
RSA public/private key pair and a certificate signing request:
openssl req –new –out provserver.csr
This command generates the server private key in privkey.pem and a
corresponding certificate signing request in provserver.csr. In this example, the
service provider keeps privkey.pem secret and submits provserver.csr to Cisco
for signing. Upon receiving the provserver.csr file, Cisco generates provserver.crt,
the signed server certificate.