Specifications

ManualsBrandsAutoCommand ManualsRemote Control20036

111

112

113

114

115

116

117

118

119

120

Setting Up Secure SRST

How to Configure Secure SRST

114

Cisco IOS Survivable Remote Site Telephony Version 3.4 System Administrator Guide

DETAILED STEPS

Step 1 show credentials

Use the show credentials command to display the credential settings on the SRST router that are

supplied to Cisco CallManager for use during secure SRST fallback.

Router# show credentials

Credentials IP: 10.1.1.22

Credentials PORT: 2445

Trustpoint: srstca

Step 2 debug credentials

Use the debug credentials command to set debugging on the credential settings of the SRST router.

Router# debug credentials

Credentials server debugging is enabled

Router#

Sep 29 01:01:50.903: Credentials service: Start TLS Handshake 1 10.1.1.13 2187

Sep 29 01:01:50.903: Credentials service: TLS Handshake returns OPSSLReadWouldBlockErr

Sep 29 01:01:51.903: Credentials service: TLS Handshake returns OPSSLReadWouldBlockErr

Sep 29 01:01:52.907: Credentials service: TLS Handshake returns OPSSLReadWouldBlockErr

Sep 29 01:01:53.927: Credentials service: TLS Handshake completes.

Importing Phone Certificate Files in PEM Format to the Secure SRST Router

This task completes the provisioning tasks required of Cisco IP phones to authenticate secure SRST. The

secure SRST router must retrieve phone certificates so that it can authenticate Cisco IP phones during

the TLS handshake. Different certificates are used for different IP phones. Table 7 on page 101 lists the

certificates needed for each type of phone.

You must manually import certificates from Cisco CallManager to the SRST router. The number of

certificates depends on the Cisco CallManager configuration. Manual enrollment refers to cut and paste

or TFTP. For manual enrollment instructions, see the Manual Certificate Enrollment (TFTP and

Cut-and-Paste) feature. Repeat the enrollment procedure for each phone or PEM file.

Note To complete this task, copy and paste the Cisco CallManager certificates to the SRST router as directed.

That is, after using the crypto pki authenticate command, you will receive a prompt. Open the .0 files

with Windows Wordpad or Notepad, and copy and paste the contents to the SRST router console. Then,

repeat the procedure with the .pem file. Copy all of the contents that appear between “-----BEGIN

CERTIFICATE-----" and "-----END CERTIFICATE-----".

Certificates are located in Cisco CallManager in the following location: In the menu bar in

Cisco CallManager, choose Program Files > Cisco > Certificates.

Note HTTP automatic enrollment from Cisco CallManager through a virtual web server is not yet supported.