Cisco IP Phone Authentication and Encryption for Cisco CallManager 4.0(1)
Certificate Authority Proxy Function
Downloads: This chapterpdf (PDF - 309.0KB) | Feedback

Certificate Authority Proxy Function

Table Of Contents

Certificate Authority Proxy Function

Certificate Authority Proxy Function Overview

Downloading the Certificate Authority Proxy Function

Installing the Certificate Authority Proxy Function

Upgrading Certificate Authority Proxy Function

Using CAPF to Generate Phone Certificates

Updating CAPF Settings

CAPF Settings and Commands

Installing the Locally Significant Certificate on Supported Phones

Upgrading the Locally Significant Certificate on the Phone

Deleting the Locally Significant Certificate on the Phone


Certificate Authority Proxy Function


This chapter provides information on the following topics:

Certificate Authority Proxy Function Overview

Downloading the Certificate Authority Proxy Function

Installing the Certificate Authority Proxy Function

Upgrading Certificate Authority Proxy Function

Using CAPF to Generate Phone Certificates

Updating CAPF Settings

CAPF Settings and Commands

Installing the Locally Significant Certificate on Supported Phones

Upgrading the Locally Significant Certificate on the Phone

Deleting the Locally Significant Certificate on the Phone

Certificate Authority Proxy Function Overview

The Certificate Authority Proxy Function (CAPF) utility can perform the following tasks, depending on your configuration:

Issue locally significant certificates to supported Cisco IP Phone models.

Using SCEP, request certificates from third-party certificate authorities on behalf of supported Cisco IP Phone models.

Upgrade existing certificates on the phones.

Retrieve phone certificates for viewing.

Delete locally significant certificates on the phone.

After you install and use the CAPF utility, the phone generates a public/private key pair, encrypts, signs, and decrypts some messages, and stores, retrieves, and deletes the certificate and the key pair. The CAPF utility performs other necessary tasks that are associated with the certificates, including installing and upgrading locally significant certificates on the phone.

The CAPF utility generates a key pair and certificate that is specific for CAPF, and the utility copies this certificate to all Cisco CallManager servers in the cluster.


Tip The CAPF certificate uses the .0 extension. To verify that the utility copied the CAPF certificate to the servers, browse to C:\Program Files\Cisco\Certificates on each server in the cluster, and locate the file that ends with .0.

Verify that the same certificate exists in the directory where you installed CAPF.


After the utility generates the CAPF key pair and certificate, you use the CAPF Command Line Interface (CLI), so CAPF retrieves phone records from the Cisco CallManager database. The first time that you use CAPF, the following information displays for each Cisco IP Phone 7960 and 7940 that exists in the Cisco CallManager database:

Device Name

Corresponding description

Corresponding directory number for line 1

Unique authentication string

After you identify where the phone is located, you or the phone user must enter the authentication string on the phone.

The phone information from the database displays for each Cisco IP Phone 7960 and 7940. If thousands of phones exist in the cluster, all phones may not display in the CLI. The CAPF utility logs the phone record information in C:\Program Files\Cisco\CAPF\Trace\CAPF.csv. If you have access to software that converts CSV files, such as Microsoft Excel, you can convert the CAPF.csv file and view the records by using that software.

Likewise, on the server where you installed CAPF, all information logs to C:\Program Files\Cisco\CAPF\Trace\capf<xxxxx>.log, where <xxxxx> represents an increasing number. When the log file includes many entries, the utility creates a new log file and increments the name of the log file by one number. Always review the last line in the file to determine if the information spans across multiple files.

The CAPF utility stamps all logs in the capf.log file with the time and date. The CAPF utility does not delete or overwrite the capf.log files. If the disc runs out of space, you may need to delete the older log files and retain the newer files.


Caution Cisco IP Telephony Backup and Restore System (BARS) does not back up CAPF log or CSV files.

The following requirements exist for the CAPF utility:

Cisco recommends that you install the CAPF utility on the publisher database server. If you install the utility on another server in the cluster, be aware that using the utility may adversely affect Cisco CallManager performance. Cisco strongly recommends that you use the CAPF utility during a scheduled maintenance window.

If Cisco Security Agent (CSA) or Cisco-approved, third party applications exist on the server where you plan to install the CAPF utility, disable the services that are associated with the applications before you download the utility. Do not enable the services at any time during the installation. Failing to disable the services may cause installation interruptions or errors. For information on how to disable the CSA services, refer to the CSA installation document that supports this version of Cisco CallManager.

All servers in the Cisco CallManager 4.0 cluster must use the same administrator username and password, so the CAPF utility can authenticate to all servers in the cluster.

You must have administrative privileges on the server to use the utility.

Install one CAPF utility per cluster. If you have multiple clusters, you must install the utility on a server in each cluster.

The server where you installed CAPF must have a certificate that associates with it, and the CTL file must contain a certificate entry for the CAPF server.

If you want to do so, you can use the Microsoft Certificate Services with CAPF if the Microsoft Certificate Services software runs on a Windows 2003 server. For information on how to use this software or for troubleshooting support, contact the certificate authority vendor directly.

If the utility will request certificates from Microsoft Certificate Services, you must enter the necessary configuration information, for example, the IP address or hostname, for this certificate authority in the CAPF CLI.

If you plan to use Microsoft Certificate Services, you must install the SCEP add-on on the server where you install Microsoft Certificate Services. To obtain the SCEP add-on, contact the certificate authority vendor directly.

Related Topics

System Requirements, page 1-4

Interactions and Restrictions, page 1-4

Downloading the Certificate Authority Proxy Function

Installing the Certificate Authority Proxy Function

Upgrading Certificate Authority Proxy Function

Using CAPF to Generate Phone Certificates

Updating CAPF Settings

CAPF Settings and Commands

Installing the Locally Significant Certificate on Supported Phones

Troubleshooting, page 5-1

Downloading the Certificate Authority Proxy Function


Caution Cisco recommends that you download and install the utility on the publisher database server. If you install the utility on another server in the cluster, be aware that the utility may adversely affect Cisco CallManager performance. Use the utility during a scheduled maintenance window.


Caution If Cisco Security Agent (CSA) or Cisco-approved, third party applications exist on the server where you plan to install the CAPF utility, disable the services that are associated with the applications before you download the utility. Do not enable the services at any time during the installation. Failing to disable the services may cause installation interruptions or errors. For information on how to disable the CSA services, refer to the CSA installation document that supports this version of Cisco CallManager.

Perform the following procedure to download the Certificate Authority Proxy Function:

Procedure


Step 1 Click http://www.cisco.com/kobayashi/sw-center/sw-voice.shtml.

You must have a Cisco Connection Online (CCO) username and password to obtain the software from the web.

Step 2 Click Cisco CallManager 4.0.

Step 3 On the page that displays, locate the file name that begins with CAPF.

Step 4 Download the file to the hard drive on the server.

Step 5 Note the location where you save the downloaded file.


Related Topics

Installing the Certificate Authority Proxy Function

Upgrading Certificate Authority Proxy Function

Using CAPF to Generate Phone Certificates

Updating CAPF Settings

CAPF Settings and Commands

Installing the Certificate Authority Proxy Function

To install the Certificate Authority Proxy Function, perform the following procedure:

Procedure


Step 1 On the server where you downloaded the executable, double-click the downloaded file to begin the installation.

Step 2 In the Welcome window, click Next.

Step 3 Enter your full name and name of your organization. Choose who can use this application. Click Next.

Step 4 Choose the location where the files will install. If you want to do so, click Browse to navigate to the location. After you choose the location, click Next.

Step 5 To begin the installation, click Next.

Step 6 Click Finish.



Tip To verify that the CAPF utility installed, see the "Troubleshooting the CAPF Utility" section on page 5-24.


Related Topics

System Requirements, page 1-4

Interactions and Restrictions, page 1-4

Certificate Authority Proxy Function Overview

Installing the Certificate Authority Proxy Function

Upgrading Certificate Authority Proxy Function

Using CAPF to Generate Phone Certificates

Updating CAPF Settings

CAPF Settings and Commands

Troubleshooting, page 5-1

Upgrading Certificate Authority Proxy Function

When you upgrade CAPF, the installation package, for example, MSI, checks whether a previous version of the application exists on the server or workstation. When the installation package identifies that a previous version exists, the upgrade occurs. If the installation package identifies that no previous version exists, a full CAPF installation occurs.


Tip If you want to remove the CAPF application before you install a later version, see the "Troubleshooting the CAPF Utility" section on page 5-24.


To upgrade CAPF, perform the following procedure:

Procedure


Step 1 Perform the procedure in "Downloading the Certificate Authority Proxy Function" section.

Step 2 If the installation package determines that you have installed a previous version of the software, a dialog box indicates that the upgrade updates only the changed files. Click OK.

Step 3 In the CAPF Installation Wizard window, click Next.

Step 4 Enter your full name and name of your organization. Choose who can use this application. Click Next.

Step 5 Choose the location where the files will install. If you want to do so, click Browse to navigate to the location. After you choose the location, click Next.

Step 6 To begin the installation, click Next.

Step 7 Click Finish.


Related Topics

System Requirements, page 1-4

Interactions and Restrictions, page 1-4

Certificate Authority Proxy Function Overview

Downloading the Certificate Authority Proxy Function

Installing the Certificate Authority Proxy Function

Using CAPF to Generate Phone Certificates

Updating CAPF Settings

CAPF Settings and Commands

Troubleshooting, page 5-1

Using CAPF to Generate Phone Certificates

Use Table 3-1 as a reference when you use the CAPF utility.

After you exit the utility, CAPF utility saves all existing configuration information. You can restart the utility at any time and use the existing configuration information if you enter the appropriate commands from Table 3-1.

Subsequent use of the CAPF utility does not generate a CAPF key pair and certificate; if you want to generate a new CAPF key pair and certificate, you must issue the appropriate command in the CLI. Cisco recommends that you do not generate a new CAPF key pair and certificate unless the key pair or certificate appears compromised or you need to modify the key size that is used by the current key pair.

If you installed multiple CAPF utilities on different servers, be aware that you can only use one utility at a time.

Perform the following procedure to use the Certificate Authority Proxy Function:

Procedure


Step 1 Perform one of the following tasks:

Choose Start > Programs > CAPF.

On the desktop, double-click the CAPF icon.

Step 2 A Command Line Interface displays. Enter your username, as described in Table 3-1.

Step 3 Enter your password, as described in Table 3-1.


Tip CAPF displays the default or existing configured parameters, as described in Table 3-1. If this is the first time that you have used CAPF, the utility automatically generates a 1024-bit key pair and a self-signed certificate for CAPF; the self-signed certificate automatically gets added to C:\Program Files\Cisco\Certificates on all servers in the cluster.

If this is not your first time to use CAPF, be aware that a key pair/certificate is not generated unless you enter an explicit command during the configuration.


Step 4 If you want to change the existing parameters that display, for example, the listening port for the phone, enter the appropriate commands, as described in Table 3-1.

Step 5 Update the CTL file with the CAPF information, as described in "Updating the CTL File" section. Verify that you rebooted the server after you made the updates.


Tip To update the CTL file, you need at least one security token that exists in the CTL file.


Step 6 If the CAPF CLI continues to display, go to Step 10.

Step 7 If CAPF utility does not display because you rebooted the server after you updated the CTL file, perform one of the following tasks:

Choose Start > Programs > CAPF.

On the desktop, double-click the CAPF icon.

Step 8 A Command Line Interface displays. Enter your username, as described in Table 3-1.

Step 9 Enter your password, as described in Table 3-1.

Step 10 Perform the following tasks, depending on the method for issuing certificates for the phones:

If the CAPF utility will issue the certicates, go to Step 11.

If a Cisco-approved, third-party certificate authority will issue certificates, enter issue cert ca, as described in Table 3-1; press Enter.

Enter set ca-server ip <IP Address of the CA Server>, as described in Table 3-1; press Enter.

Go to Step 11.

Step 11 At the CAPF prompt, enter get phone-info, as described in Table 3-1.

If you add phones to the database after the initial retrieval from the Cisco CallManager database, you must issue this command again.

Step 12 At the CAPF prompt, enter set cert upgrade all, as described in Table 3-1; press Enter.

This command configures all devices for the certificate upgrade. To configure a specific phone for upgrade, issue the following command: set cert upgrade id <device name>,

Step 13 At the CAPF prompt, perform the following task, depending on what you want to accomplish:

If you plan to use the authentication string that the get phone-info command creates, go to Step 14.

If you want to generate an authentication string for a specific phone, issue the following command: set auth-string id <device name>


Caution If you want to set the authentication string to Null or if you want to generate new authentication strings, enter the command, set auth-string <id | all > <value> [<type>], at the CAPF prompt; press Enter.

Cisco strongly recommends that you use null authentication only in closed, secure environments.

Step 14 At the next CAPF prompt, enter show auth-string all, as described in Table 3-1; press Enter.

The phone information from the database displays for each phone. If thousands of phones exist in the cluster, all phones may not display in the CLI. The CAPF utility logs the phone record information in C:\Program Files\Cisco\CAPF\Trace\CAPF.csv. If you have access to software that converts CSV files, such as Microsoft Excel, you can convert the CAPF.csv file and view the records by using that software. The utility also writes the entries to the log file.

To display a single device name and authentication string, issue the following command: show auth-string id <device name>

Step 15 Determine the phone user that is associated with the Device Name by performing the following procedure:

a. On the server where you installed the CAPF utility, obtain the CSV file, CAPF.csv, from C:\Program Files\Cisco\CAPF\Trace.

b. By using software that converts CSV files, export this file to a format in which you can view the phone record information.

Step 16 Install the locally significant certificate on the phone; see the "Installing the Locally Significant Certificate on Supported Phones" section.


Related Topics

System Requirements, page 1-4

Interactions and Restrictions, page 1-4

Certificate Authority Proxy Function Overview

Downloading the Certificate Authority Proxy Function

Installing the Certificate Authority Proxy Function

Upgrading Certificate Authority Proxy Function

Updating CAPF Settings

CAPF Settings and Commands

Updating the CTL File

Troubleshooting, page 5-1

Updating CAPF Settings

Use Table 3-1 as a reference when you update the settings. To update any configured CAPF setting, such as the listening ports for the phone or CTL Provider port, or to generate an updated key pair or CAPF certificate, perform the following procedure:

Procedure


Step 1 Perform one of the following tasks:

Choose Start > Programs > CAPF.

On the desktop, double-click the CAPF icon.

Step 2 A Command Line Interface displays. Enter your username, as described in Table 3-1.

Step 3 Enter your password, as described in Table 3-1.

CAPF displays the default or existing configured parameters, as described in Table 3-1. If this is not your first time to use CAPF, be aware that a key pair/certificate is not generated unless you enter an explicit command during the configuration.

Step 4 Enter ? to obtain a list and descriptions of commands that are entered during the configuration; press Enter.

Step 5 Depending on the settings that you want to change or issue, enter the commands that are described in Table 3-1; after you issue each command, press Enter.


Related Topics

System Requirements, page 1-4

Interactions and Restrictions, page 1-4

Certificate Authority Proxy Function Overview

Downloading the Certificate Authority Proxy Function

Installing the Certificate Authority Proxy Function

Upgrading Certificate Authority Proxy Function

Using CAPF to Generate Phone Certificates

CAPF Settings and Commands

Troubleshooting, page 5-1

CAPF Settings and Commands

Table 3-1 contains a list of commands and settings for the CAPF utility.


Tip To display the list of all CAPF commands, enter ? in the CAPF CLI and press Enter.


Table 3-1 CAPF Settings and Commands 

Command/Setting
Description

Username

Enter the login Windows login username that has administrative privileges for the server where you installed CAPF.

Password

Enter the password for the username.

Cert Issuing Method

The setting specifies whether you are using CAPF or a third-party certificate authority to issue certificates.

abort cert-upgrade <id | all> <value>

This command aborts the certificate upgrade process for a specific phone or for all phones.

debug capf <events | all | states>

This command enables the following CAPF debugging settings:

debug capf events—This command enables the CAPF event debug tracing for phone to CAPF utility to CA interactions.

Debug capf all—This command turns on all debugging capabilities of an accepted level.

Debug capf states —This command enables debug tracing for CAPF FSM state transitions.

debug capf <phone-msg | scep-msg> [brief | detail]

This command dumps the decrypted and hexdump messages between CAPF and the phone and/or CAPF and the CA server.

exit

This command allows you to exit from the CAPF CLI.

gen cert

This command generates a new CAPF certificate.

gen key

This command generates a key pair for CAPF.

get phone-info

This command retrieves the directory number for line 1, Device Name, and Description for each Cisco IP Phone 7960 and 7940 in the Cisco CallManager database.

This command generates an authentication string for each phone and saves this string in the CAPF utility.

This command generates a CSV file that is named CAPF.csv. This file, which exists in C:\Program Files\Cisco\CAPF\CAPF\Trace\CAPF.csv, contains all information that the command generates or obtains from the database.

Tip Subsequent issuing of this command causes the CAPF utility to update the information if new or deleted phones exist in the database; the command also generates new authentication strings for new phones and regenerates the CAPF.csv file with the updated information.

help

This command displays help for a command.

help commands

This command displays a list of all commands.

issue cert <self | ca >

This command sets the mode for issuing certificates to either CAPF or the third-party certificate authority server.

set auth-string <id | all > <value> [<type>]

This command sets the authentication string and type.


Caution Only configure null authentication for secure, closed environments. If you do not plan to enter the authentication string on the phone and the phone exists in a secure, closed environment, you can set the type to null-string for null authentication.

set ca-server [user <name> password <passwd>] <IP <address> | DNS <name>>

This command sets the certificate authority server.

set cert <upgrade | fetch | delete> phone <id | all> <value>

This command requests that a certificate be upgrade, requests that a certificate be fetched, or requests that a certificate be deleted.

set config <>

Tip For example, enter Listening port - phone, Listening port - ctl, Key size- phone, or Key size- CAPF.

This command sets CAPF configuration values. Issue this command when you want to change the default values. Default values display between the brackets, [ ].

Tip If you want to change the default settings, enter the command in the CLI, enter the new setting, and press Enter. If you do not want to change the default setting and the setting displays in the CLI, press Enter.

CAPF provides the following commands:

Listening port - phone [3804]:—This command changes the listening port on which the CAPF connects to the phone.

Listening port - ctl [3805]:—This command changes the listening port on which the CAPF connects to the CTL client. When you change the value, update the CTL file with the new value.

Key size- phone [1024]:—This command changes the key size for the phone.

Key size- CAPF [1024]:—This command changes the key size for CAPF.

set config <>

Tip For example, enter Generate cert locally [Y]:.

The command, Generate cert locally [Y]:, generates a local certificate for CAPF.

If you enter N for the command, the CLI prompts you for certificate authority server configuration information.

CA Server- IP/DNS: Enter the IP address or hostname of the CA server.

If you enter Y for the command, Generate cert locally [Y]:, the CLI provides the following prompts:

Get phone records from CCM[Y]: This command provides the same results as the get-phone info command.

Generate auth string [Y]: This command provides the same results as the set auth-string all command.

Set upgrade duration [240]: This command provides the same results as the set upgrade-duration phone <id | all > <value> command.

Select all phones for Upgrade [Y]: This command provides the same results as the set cert upgrade all command.

set key-size <phone | capf> <id |all>] <value>

This command sets the key size for phone/CAPF.

[no] set logging [console | syslog | both] [<filename>]

This command sets where the logging will occur. To disable logging, issue the command, no set logging.

Tip CAPF sets the default setting to console. By default, CAPF enables logging.

set max-retries keygen-poll <value>

This command sets the maximum number of times that CAPF will attempt to poll the phone while in key generation state.

Tip CAPF sets the default to 3. Valid range goes from 1 through 10.

set port < phone | ctl > <value>

This command sets the listening port for the phone and CTL client.

set retry-timer keygen-poll <value>

This command sets the time in minutes for guarding the key generation response from the phone. If the time expires, CAPF restarts the timer to the maximum number of attempts that are configured and then ends the session with the phone.

Tip CAPF sets the default to 30 minutes. Valid range goes from1 through 30 minutes.

set upgrade-duration phone <id | all > <value>

This command sets the time in hours in which you can perform the phone certificate installation/upgrade. The default duration equals 240 hours. You must perform the certificate installation/upgrade before the duration expires. If you want to increase or decrease the time, enter this command.

show auth-string <all | id> <value>

This command displays the authentication strings that you should enter on the phone to initiate the certificate installation/upgrade.

show capf

This command displays the configured CAPF settings and the status of certificate upgrades that are in progress.

show debug capf

This command shows the debugging that you enabled.

show status phone <[id <value>| all> [pending]

This command displays the status of the phone certificate upgrade. The pending option displays certificate upgrades that are not completed.

show version

This command displays the CAPF version that is installed on the server.

Source <command file>

This command executes user interface (UI) commands from a file. For example, you can copy a set of CAPF commands into a file and all commands execute one after the other. Enter this command when you must repeatedly issue some commands.


Related Topics

Certificate Authority Proxy Function Overview

Downloading the Certificate Authority Proxy Function

Installing the Certificate Authority Proxy Function

Upgrading Certificate Authority Proxy Function

Using CAPF to Generate Phone Certificates

Updating CAPF Settings

CAPF Settings and Commands

Troubleshooting, page 5-1

Installing the Locally Significant Certificate on Supported Phones

After you determine the phone user for the device, you must install the locally significant certificate on the phone.


Timesaver The phone user can perform the following procedure to install the certificate.


Before You Begin

Verify that you updated the Cisco CTL file with the appropriate CAPF information.

Verify that the CAPF certificate exists in the certificate folder on the Cisco CallManager server; on the server, browse to C:\Program Files\Cisco\Certificates.

Verify that you restarted the Cisco CallManager service after the CAPF certificate installation; for information on how to perform this task, refer to the Cisco CallManager Serviceability Administration Guide.

Verify that the server where you installed CAPF is running and functional. Ensure that the server runs for each certificate installation.

Verify that a signed image exists on the phone; refer to Cisco IP Phone Administration Guide for Cisco CallManager, Cisco IP Phone Models 7960G and 7940G.

Obtain the authentication string that the CAPF workstation/server created during the configuration process.


Tip To determine whether you performed a certificate installation on the phone, issue the command, show status phone all, in the CAPF CLI and press Enter.


Procedure


Step 1 Obtain the CAPF authentication string that was set when the CAPF utility was configured.

Step 2 On the Cisco IP Phone 7960 and 7940, press the Settings button to access the Settings menu.

Step 3 Scroll to the Certificate option; press the Select softkey.

Step 4 Scroll to the Update Certificates option; press the Select softkey.

Step 5 Choose the Auth. String option; press the Select softkey.

The phone prompts you for an authentication string.

Step 6 Enter the authentication string for your phone and press the Validat. softkey.

The phone installs, updates, or remove the certificate, depending on the current CAPF configuration.

Monitor the progress of the certificate installation by viewing the messages in the status line on the phone. When the phone successfully completes the process, the phone displays a successful message. If the phone displays a failure message, you entered the wrong authentication string or did not enable the phone for upgrade; see the "Troubleshooting" section on page 5-1.

At any time, you can stop the process by choosing the Cancel Operation option on the Certificates menu.

You can verify that the certificate installed on the phone by choosing Settings > Model Information and viewing the LSC setting.



Tip The authentication string is for one-time use only.


Related Topics

System Requirements, page 1-4

Authentication and Integrity Overview

Certificate Authority Proxy Function Overview

CAPF Settings and Commands

Updating the CTL File

Upgrading the Locally Significant Certificate on the Phone

Deleting the Locally Significant Certificate on the Phone

Cisco IP Phone Administration Guide for Cisco CallManager, Cisco IP Phone Models 7960G and 7940G

Upgrading the Locally Significant Certificate on the Phone

The CAPF utility does not upgrade certificates that Cisco manufacturing installed on the phone. The utility only upgrades certificates that the CAPF utility or Cisco-approved, third-party certificate authority issued.

Issuing the appropriate command in the following procedure generates a new authentication string for each phone. The CAPF utility also updates the CSV file with the new information.

Review the "Before You Begin" section because the requirements apply to upgrading the locally significant certificate.

To upgrade a locally significant certificate on the phone, perform the following procedure:

Procedure


Step 1 Perform one of the following tasks:

Choose Start > Programs > CAPF.

On the desktop, double-click the CAPF icon.

Step 2 A Command Line Interface displays. Enter your username, as described in Table 3-1.

Step 3 Enter your password, as described in Table 3-1.

Step 4 At the CAPF prompt, enter the command, set cert upgrade phone <id | all> <value>; press Enter.

Step 5 Perform the procedure in "Installing the Locally Significant Certificate on Supported Phones" section. This procedure applies to upgrading and installing certificates on the phone.


Related Topics

Certificate Authority Proxy Function Overview

CAPF Settings and Commands

Before You Begin

Installing the Locally Significant Certificate on Supported Phones

Cisco IP Phone Administration Guide for Cisco CallManager, Cisco IP Phone Models 7960G and 7940G

Deleting the Locally Significant Certificate on the Phone

The CAPF utility does not delete certificates that Cisco manufacturing installed on the phone. The utility only deletes certificates that the CAPF utility or Cisco-approved, third-party certificate authority issued.

In the CAPF CLI, you can issue the deletion command, as described in the following procedure. Perform the following procedure:

Procedure


Step 1 Perform one of the following tasks:

Choose Start > Programs > CAPF.

On the desktop, double-click the CAPF icon.

Step 2 A Command Line Interface displays. Enter your username, as described in Table 3-1.

Step 3 Enter your password, as described in Table 3-1.

Step 4 At the CAPF prompt, enter the command, set cert delete phone <id | all> <value>; press Enter.

Step 5 If you used a Cisco-approved, third-party certificate authority to issue the certificates, verify that the certificate authority revoked the certificate. Contact the third-party certificate authority vendor for information on how to perform this task.


Related Topics

Certificate Authority Proxy Function Overview

CAPF Settings and Commands

Installing the Locally Significant Certificate on Supported Phones

Cisco IP Phone Administration Guide for Cisco CallManager, Cisco IP Phone Models 7960G and 7940G