Specifications

ManualsBrandsAutoCommand ManualsRemote Control20036

101

102

103

104

105

106

107

108

109

110

Setting Up Secure SRST

Information About Setting Up Secure SRST

102

Cisco IOS Survivable Remote Site Telephony Version 3.4 System Administrator Guide

Secure SRST Authentication and Encryption

Figure 4 illustrates the process of secure SRST authentication and encryption, and Table 8 describes the

process.

Figure 4 Secure SRST Authentication and Encryption

Table 8 Overview of the Process of Secure SRST Authentication and Encryption

Process Steps Description or Detail

1. The CA server, whether it is a Cisco IOS router CA or a third-party CA, issues a

device certificate to the SRST gateway, enabling credentials service. Optionally, the

certificate can be self-generated by the SRST router using a Cisco IOS CA server.

The CA router is the ultimate trustpoint for the Certificate Authority Proxy Function

(CAPF). For more information on CAPF, see the Cisco CallManager Security Guide.

2. The CAPF is a process where supported devices can request a locally significant

certificate (LSC). The CAPF utility generates a key pair and certificate that is specific

for CAPF, copies this certificate to all Cisco CallManager servers in the cluster, and

provides the LSC to the Cisco IP phone.

An LSC is required for Cisco IP phones that do not have a manufacturing installed

certificate (MIC). The Cisco 7970 is equipped with a MIC and therefore does not need

to go through the CAPF process.

3. Cisco CallManager requests the SRST certificate from credentials server, and the

credentials server responds with the certificate.

4. For each device, Cisco CallManager uses the TFTP process and inserts the certificate

into the SEPMACxxxx.cnf.xml configuration file of the Cisco IP phone.

5. Cisco CallManager provides the PEM format files that contain phone certificate

information to the SRST router. Providing the PEM files to the SRST router is done

manually; see SRST Routers and PKI, page 101 for more information.

When the SRST router has the PEM files, the SRST router can authenticate the IP

phone and validate the issuer of the IP phones certificate during the TLS handshake.

127439

SRST

LSC

7940/7960

MIC

7970

IP phone

TLS handshake

CAPF TFTP

Cisco CallManager

Cisco IOS router CA

or third-party CA

SEPMACxxxx.cnf.xml

LSC/MIC

SRST cert

Credentials

service

2 4

6b 6a

5 3 1