Linksys SPA921 Cisco Small Business IP Telephony Devices Provisioning Guide - Page 29

Not Installed, according to the presence or absence of a unique client certificate.

Get Linksys SPA921 - Cisco - IP Phone PDF manuals and user guides
UPC - 745883570799
View all Linksys SPA921 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 29 highlights

Provisioning Cisco Small Business VoIP Devices Provisioning Setup 1 In addition, Cisco also provides a Sipura CA Client Root Certificate to the service provider. This root certificate certifies the authenticity of the client certificate carried by each IP Telephony Device. The unique client certificate offered by each device during an HTTPS session carries identifying information embedded in its subject field. This information can be made available by the HTTPS server to a CGI script invoked to handle secure requests. In particular, the certificate subject indicates the unit product name (OU element), MAC address (S element), and serial number (L element). The following is an example of these elements from a SPA962 client certificate subject field: OU=SPA-962, L=88012BA01234, S=000e08abcdef Early units, manufactured before firmware 2.0.x, do not contain individual SSL client certificates. When these units are upgraded to a firmware release in the 2.0.x tree, they become capable of connecting to a secure server using HTTPS, but are only able to supply a generic client certificate if requested to do so by the server. This generic certificate contains the following information in the identifying fields: OU=cisco.com, L=ciscogeneric, S=ciscogeneric To determine if an IP Telephony Device carries an individualized certificate use the $CCERT provisioning macro variable, whose value expands to either Installed or Not Installed, according to the presence or absence of a unique client certificate. In the case of a generic certificate, it is possible to obtain the serial number of the unit from the HTTP request header, in the User-Agent field. HTTPS servers can be configured to request SSL certificates from connecting clients. If enabled, the server can verify the client certificate by using the Sipura CA Client Root Certificate supplied by Cisco. It can then provide the certificate information to a CGI for further processing. The location for storing certificates may vary. For example, on a Apache installation, the file paths for storing the provisioning server signed certificate, its associated private key, and the Sipura CA client root certificate are likely to be as follows: # Server Certificate: SSLCertificateFile /etc/httpd/conf/provserver.crt # Server Private Key: SSLCertificateKeyFile /etc/httpd/conf/provserver.key # Certificate Authority (CA): SSLCACertificateFile /etc/httpd/conf/spacroot.crt Cisco Small Business IP Telephony Devices Provisioning Guide 27

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
Provisioning Cisco Small Business VoIP Devices
Provisioning Setup
Cisco Small Business IP Telephony Devices Provisioning Guide
27
1
In addition, Cisco also provides a Sipura CA Client Root Certificate to the service
provider. This root certificate certifies the authenticity of the client certificate
carried by each IP Telephony Device.
The unique client certificate offered by each device during an HTTPS session
carries identifying information embedded in its subject field. This information can
be made available by the HTTPS server to a CGI script invoked to handle secure
requests. In particular, the certificate subject indicates the unit product name (OU
element), MAC address (S element), and serial number (L element). The following
is an example of these elements from a SPA962 client certificate subject field:
OU=SPA-962, L=88012BA01234, S=000e08abcdef
Early units, manufactured before firmware 2.0.x, do not contain individual SSL
client certificates. When these units are upgraded to a firmware release in the
2.0.x tree, they become capable of connecting to a secure server using HTTPS,
but are only able to supply a generic client certificate if requested to do so by the
server. This generic certificate contains the following information in the identifying
fields:
OU=cisco.com, L=ciscogeneric, S=ciscogeneric
To determine if an IP Telephony Device carries an individualized certificate use the
$CCERT provisioning macro variable, whose value expands to either Installed or
Not Installed, according to the presence or absence of a unique client certificate.
In the case of a generic certificate, it is possible to obtain the serial number of the
unit from the HTTP request header, in the User-Agent field.
HTTPS servers can be configured to request SSL certificates from connecting
clients. If enabled, the server can verify the client certificate by using the Sipura
CA Client Root Certificate supplied by Cisco. It can then provide the certificate
information to a CGI for further processing.
The location for storing certificates may vary. For example, on a Apache
installation, the file paths for storing the provisioning server signed certificate, its
associated private key, and the Sipura CA client root certificate are likely to be as
follows:
# Server Certificate:
SSLCertificateFile /etc/httpd/conf/provserver.crt
# Server Private Key:
SSLCertificateKeyFile /etc/httpd/conf/provserver.key
# Certificate Authority (CA):
SSLCACertificateFile /etc/httpd/conf/spacroot.crt