Specifications

ManualsBrandsAutoCommand ManualsRemote Control20036

111

112

113

114

115

116

117

118

119

120

Setting Up Secure SRST

How to Configure Secure SRST

105

Cisco IOS Survivable Remote Site Telephony Version 3.4 System Administrator Guide

How to Configure Secure SRST

The following configuration sections ensure that the secure SRST router and the Cisco IP phones can

request mutual authentication during the TLS handshake. The TLS handshake occurs when the phone

registers with the SRST router, either before or after the WAN link fails.

This section contains the following procedures:

• Preparing the SRST Router for Secure Communication, page 105 (required)

• Importing Phone Certificate Files in PEM Format to the Secure SRST Router, page 114 (required)

• Configuring Cisco CallManager to the Secure SRST Router, page 118 (required)

• Enabling SRST Mode on the Secure SRST Router, page 121 (required)

• Verifying Phone Status and Registrations, page 123 (required)

Preparing the SRST Router for Secure Communication

The following tasks prepare the SRST router to process secure communications.

• Configuring a Certificate Authority Server on a Cisco IOS Certificate Server, page 105 (optional)

• Autoenrolling and Authenticating the Secure SRST Router to the CA Server, page 107 (required)

• Disabling Automatic Certificate Enrollment, page 110 (required)

• Verifying Certificate Enrollment, page 111 (optional)

• Enabling Credentials Service on the Secure SRST Router, page 112 (required)

• Troubleshooting Credential Settings, page 113 (optional)

Configuring a Certificate Authority Server on a Cisco IOS Certificate Server

For SRST routers to provide secure communications, there must be a CA server that issues the device

certificate in the network. The CA server can be a third-party CA or one generated from a Cisco IOS

certificate server.

The Cisco IOS certificate server provides a certificate generation option to users who do not have a

third-party CA in their network. The Cisco IOS certificate server can run on the SRST router or on a

different Cisco IOS router.

If you do not have a third-party CA, full instructions on enabling and configuring a CA server can be

found in the Cisco IOS Certificate Server documentation. A sample configuration is provided below.

SUMMARY STEPS

1. crypto pki server cs-label

2. database level {minimal | names | complete}

3. database url root-url

4. issuer-name DN-string

5. grant auto

6. no shutdown