Specifications
Setting Up Secure SRST
How to Configure Secure SRST
112
Cisco IOS Survivable Remote Site Telephony Version 3.4 System Administrator Guide
Step 2 show crypto pki server
Use the show crypto pki server command to verify the status of the CA server after a boot procedure.
Router# show crypto pki server
Certificate Server srstcaserver:
Status: enabled
Server's configuration is locked (enter "shut" to unlock it)
Issuer name: CN=srstcaserver
CA cert fingerprint: AC9919F5 CAFE0560 92B3478A CFF5EC00
Granting mode is: auto
Last certificate issued serial number: 0x2
CA certificate expiration timer: 13:46:57 PST Dec 1 2007
CRL NextUpdate timer: 14:54:57 PST Jan 19 2005
Current storage dir: nvram
Database Level: Complete - all issued certs written as <serialnum>.cer
Enabling Credentials Service on the Secure SRST Router
Once the SRST router has its own certificate, you need to provide Cisco CallManager the certificate.
Enabling credentials service allows Cisco CallManager to retrieve the secure SRST device certificate
and place it in the configuration file of the Cisco IP phone.
Activate credentials service on all SRST routers.
Note A security best practice is to protect the credentials service port using Control Plane Policing. Control
Plane Policing protects the gateway and maintains packet forwarding and protocol states despite a heavy
traffic load. For more information on control planes, see the Control Plane Policing documentation. In
addition, a sample configuration is given in the “Control Plane Policing: Example” section on page 132.
SUMMARY STEPS
1. credentials
2. ip source-address ip-address [port port]
3. trustpoint trustpoint-name
4. exit