Cisco CallManager Security Guide, Release 4.1(2)
Using the Certificate Authority Proxy Function
Downloads: This chapterpdf (PDF - 311.0KB) The complete bookPDF (PDF - 3.46MB) | Feedback

Using the Certificate Authority Proxy Function

Table Of Contents

Using the Certificate Authority Proxy Function

Certificate Authority Proxy Function Overview

Cisco IP Phone and CAPF Interaction

CAPF System Interactions and Requirements

Configuring CAPF in Cisco CallManager Serviceability

Migrating Existing CAPF Data

CAPF Configuration Checklist

Copying CAPF 1.0(1) Data From a 4.0 Subscriber Server to the 4.0 Publisher Database Server

Activating the Certificate Authority Proxy Function Service

Updating CAPF Service Parameters

CAPF Service Parameters

Updating CAPF Enterprise Parameters

Installing/Upgrading the Locally Significant Certificates

Deleting the Locally Significant Certificate

CAPF Settings in the Phone Configuration Window

Using CAPF with the Bulk Administration Tool

Generating a CAPF Report

Finding Phones by Choosing the LSC Status

Entering the Authentication String on the Phone


Using the Certificate Authority Proxy Function


This chapter provides information on the following topics:

Certificate Authority Proxy Function Overview

Cisco IP Phone and CAPF Interaction

CAPF System Interactions and Requirements

Migrating Existing CAPF Data

Configuring CAPF in Cisco CallManager Serviceability

CAPF Configuration Checklist

Copying CAPF 1.0(1) Data From a 4.0 Subscriber Server to the 4.0 Publisher Database Server

Activating the Certificate Authority Proxy Function Service

Updating CAPF Service Parameters

Updating CAPF Enterprise Parameters

CAPF Service Parameters

Installing/Upgrading the Locally Significant Certificates

Deleting the Locally Significant Certificate

CAPF Settings in the Phone Configuration Window

Using CAPF with the Bulk Administration Tool

Generating a CAPF Report

Finding Phones by Choosing the LSC Status

Entering the Authentication String on the Phone

Certificate Authority Proxy Function Overview

Certificate Authority Proxy Function (CAPF), which automatically installs with Cisco CallManager, performs the following tasks, depending on your configuration:

Issue locally significant certificates to supported Cisco IP Phone models.

Using SCEP, request certificates from third-party certificate authorities on behalf of supported Cisco IP Phone models.

Upgrade existing locally significant certificates on the phones.

Retrieve phone certificates for viewing and troubleshooting.

Delete locally significant certificates on the phone.

Authenticate via the manufacture-installed certificate

After you activate the Cisco Certificate Authority Proxy Function service, CAPF automatically generates a key pair and certificate that is specific for CAPF. The CAPF certificate, which the Cisco CTL Client copies to all servers in the cluster, uses the .0 extension. To verify that the CAPF certificate exists, browse to C:\Program Files\Cisco\Certificates on each server and locate the following files:

In DER encoded format—CAPF.cer

In PEM encoded format—.0 extension file that contains the same common name string as the CAPF.cer

Related Topics

CAPF System Interactions and Requirements

CAPF Configuration Checklist

Cisco IP Phone and CAPF Interaction

When the phone interacts with CAPF, the phone generates its public key and private key pair and then forwards its public key to the CAPF server in a signed message. The private key remains in the phone and is never exposed externally. Depending on the configuration in Cisco CallManager Administration, CAPF may sign the phone certificate or may act as a SCEP protocol proxy to the third-party, Cisco-approved CA server to sign the phone certificate. CAPF then sends the certificate back to the phone in a signed message.

The following information applies when a communication or power failure occurs.

If a communication failure occurs while the certificate installation is taking place on the phone, the phone will attempt to obtain the certificate three more times in 30-second intervals. You cannot configure these values.

If a power failure occurs while the phone attempts a session with CAPF, the phone will use the authentication mode that is stored in flash; that is, if the phone cannot load the new configuration file from the TFTP server after the phone reboots. After the certificate operation completes, the system clears the value in flash.


Tip Be aware that the phone user can abort the certificate operation or view the operation status on the phone.


Related Topics

CAPF System Interactions and Requirements

CAPF Configuration Checklist

Cisco IP Phone Administration Guide for Cisco CallManager

CAPF System Interactions and Requirements

The following requirements exist for CAPF:

Before you upgrade to Cisco CallManager 4.1, review the following sections:

Migrating Existing CAPF Data

Copying CAPF 1.0(1) Data From a 4.0 Subscriber Server to the 4.0 Publisher Database Server

Before you use CAPF, ensure that you performed all necessary tasks to install and configure the Cisco CTL client. To use CAPF, you must activate the Cisco Certificate Authority Proxy Function service on the publisher database server.

Cisco strongly recommends that you use CAPF during a scheduled maintenance window because generating many certificates at the same time may cause call-processing interruptions.

All servers in the Cisco CallManager 4.1 cluster must use the same administrator username and password, so CAPF can authenticate to all servers in the cluster.

Ensure that the publisher database server is functional and running during the entire certificate operation.

Ensure that the phone is functional during the entire certificate operation.

If you want to do so, you can use the Microsoft Certificate Services with CAPF if the Microsoft Certificate Services software runs on a Windows 2003 server. For information on how to use this software or for troubleshooting support, contact the certificate authority vendor directly.

If CAPF will request certificates from Microsoft Certificate Services, you must enter the necessary configuration information, for example, the IP address or hostname, for this certificate authority in the applicable CAPF service parameter.

If you plan to use Microsoft Certificate Services, you must install the SCEP addon on the server where you install Microsoft Certificate Services. To obtain the SCEP addon, contact the certificate authority vendor directly.


Tip Before you use a third-party certificate authority (CA) with CAPF, review the certificate authority vendor documentation to ensure that no limitations exist that may affect the ability to issue certificates.


If you want to do so, you can use Keon Utility to generate certificates for CAPF. You must enter the necessary configuration information, for example, the IP address or hostname, for this certificate authority in the applicable CAPF service parameter. You must also provide the Keon Jurisdiction ID in the appropriate service parameter field.

For information on how to use the Keon software or for troubleshooting support, contact the certificate authority vendor directly.

To use the Keon Utility or Microsoft Certificate Services with CAPF, you must define the following Object IDs. For information on how to use the following settings, refer to the certificate authority vendor documentation.

(1.3.6.1.5.5.7.3.1) Server SSL/TLS authentication

(1.3.5.1.5.5.7.3.2) Client SSL/TLS authentication

(1.3.6.1.5.5.7.3.5) IPSec end system authentication


Tip Cisco IP Telephony Backup and Restore System (BARS) backs up the CAPF data and reports because Cisco CallManager stores the information in the Cisco CallManager database.


Related Topics

Certificate Authority Proxy Function Overview

CAPF System Interactions and Requirements

Migrating Existing CAPF Data

CAPF Configuration Checklist

Configuring CAPF in Cisco CallManager Serviceability

You perform the following tasks in Cisco CallManager Serviceability:

Activate the Cisco Certificate Authority Proxy Function service.

Configure trace settings for CAPF.

Related Topics

Cisco CallManager Serviceability Administration Guide

Cisco CallManager Serviceability System Guide

Migrating Existing CAPF Data


Caution Failing to perform the tasks that are described in this section may cause a loss of CAPF data.

Review the following details before you install or overwrite a locally significant certificate:

Upgrades from Cisco CallManager 4.0 where CAPF was installed on the Cisco CallManager 4.0 publisher database server—If you performed certificate operations with Cisco CallManager 4.0 and CAPF 1.0(1) ran on the publisher database server, the latest operation status migrates to the Cisco CallManager 4.1 database.

Upgrades from Cisco CallManager where CAPF was installed on a Cisco CallManager 4.0 subscriber server—If you performed certificate operations with Cisco CallManager 4.0 and CAPF 1.0(1) ran on a subscriber server, you must copy the CAPF data to the 4.0 publisher database server before you upgrade the cluster to Cisco CallManager 4.1.


Caution If you fail to copy the data prior to the Cisco CallManager 4.1 upgrade, the CAPF data on the Cisco CallManager 4.0 subscriber server does not migrate to the Cisco CallManager 4.1 database, and a loss of data may occur. If a loss of data occurs, the locally significant certificates that you issued with CAPF utility 1.0(1) remain in the phones. CAPF 4.1(2) must reissue the certificate, which is not valid.

Upgrades from one release of Cisco CallManager 4.1(x) to a later release of Cisco CallManager 4.1(x)—The upgrade automatically migrates the CAPF data.

Related Topics

Certificate Authority Proxy Function Overview

CAPF System Interactions and Requirements

CAPF Configuration Checklist

Copying CAPF 1.0(1) Data From a 4.0 Subscriber Server to the 4.0 Publisher Database Server

CAPF Configuration Checklist

Table 4-1 provides a list of tasks that you perform to install, upgrade, delete or troubleshoot locally significant certificates.

Table 4-1 CAPF Configuration Checklist 

Configuration Steps
Related Procedures and Topics

Step 1 

Determine whether a locally significant certificate exists in the phone.

Determine whether you need to copy CAP 1.0(1) data to the Cisco CallManager 4.1(2) publisher database server.

Verifying That a Manufactured-Installed Certificate (MIC) Exists in the Phone

Verifying That a Locally Significant Certificate Exists on the Phone

Migrating Existing CAPF Data

Copying CAPF 1.0(1) Data From a 4.0 Subscriber Server to the 4.0 Publisher Database Server

Step 2 

If you used the CAPF utility with Cisco CallManager 4.0 and verified that the CAPF data exists in the Cisco CallManager 4.1 database, delete the CAPF utility that you used with Cisco CallManager 4.0.

Choose Settings > Control Panel. Double-click Add/Remove Programs and locate the utility. Remove the utility.

Step 3 

Verify that the Cisco Certificate Authority Proxy Function service is running.

Tip This service must run during all CAPF operations. It must also run for the Cisco CTL client to include the CAPF certificate in the CTL file.

Activating the Certificate Authority Proxy Function Service

Step 4 

Verify that you performed all necessary tasks to install and configure the Cisco CTL client. Ensure that the CAPF certificate exists in the Cisco CTL file.

Configuring the Cisco CTL Client

Step 5 

If necessary, update CAPF service parameters.

Updating CAPF Service Parameters

CAPF Service Parameters

Step 6 

To install, upgrade, delete, or troubleshoot locally significant certificates in the phone, use Cisco CallManager Administration or BAT.

Installing/Upgrading the Locally Significant Certificates

CAPF Settings in the Phone Configuration Window

Using CAPF with the Bulk Administration Tool

Step 7 

To view a list of devices that use CAPF, generate a CAPF report in Cisco CallManager Administration.

Generating a CAPF Report

Step 8 

If it is required for certificate operations, enter the authentication string on the phone.

Entering the Authentication String on the Phone

Step 9 

Verify that the certificate operation succeeded as planned.

Verifying That a Locally Significant Certificate Exists on the Phone

Verifying That a Manufactured-Installed Certificate (MIC) Exists in the Phone

Copying CAPF 1.0(1) Data From a 4.0 Subscriber Server to the 4.0 Publisher Database Server


Caution If you installed CAPF utility 1.0(1) on a Cisco CallManager 4.0 subscriber server, you must copy the CAPF data to the 4.0 publisher database server before you upgrade to Cisco CallManager 4.1. Failing to perform this task causes a loss of CAPF data; for example, you may lose the phone record files in C:\Program Files\Cisco\CAPF\CAPF.phone. If a loss of data occurs, the locally significant certificates that you issued with CAPF utility 1.0(1) remain in the phones; CAPF 4.1(2) must reissue the certificates, which are not valid.

Use the following procedure in conjunction with the "Migrating Existing CAPF Data" section. To copy the files, perform the following procedure:

Procedure


Step 1 Copy the files in Table 4-2 from the machine where CAPF 1.0 is installed to the publisher database server where Cisco CallManager 4.0 is installed:

Table 4-2 Copy From Server to Server

Files to Copy
From Machine Where CAPF 1.0 Is Installed
To Publisher Database Server Where Cisco CallManager 4.0 Is Installed

*.0

in C:\Program Files\Cisco\CAPF

to C:\Program Files\Cisco\Certificates

CAPF.phone

in C:\Program Files\Cisco\CAPF

to C:\Program Files\Cisco\CAPF

CAPF.cfg files

in C:\Program Files\Cisco\CAPF

to C:\Program Files\Cisco\CAPF


Step 2 Upgrade every server in the cluster to Cisco CallManager 4.1.

Step 3 After you upgrade the cluster to Cisco CallManager 4.1, upgrade the Cisco CTL client, and run it before you use the phones. The Cisco CTL client will copy the CAPF certificate to all the servers in the cluster.

Step 4 Delete the CAPF utility that you used with Cisco CallManager 4.0. See Table 4-1.


Related Topics

Certificate Authority Proxy Function Overview

CAPF System Interactions and Requirements

Migrating Existing CAPF Data

CAPF Configuration Checklist

Activating the Certificate Authority Proxy Function Service

Cisco CallManager 4.1 does not automatically activate the Certificate Authority Proxy Function service in Cisco CallManager Serviceability.

Activate this service only on the publisher database server. If you did not activate this service before you installed and configured the Cisco CTL client, you must update the CTL file, as described in the "Updating the CTL File" section.

To activate the service, perform the following procedure:

Procedure


Step 1 In Cisco CallManager Serviceability, choose Tools > Service Activation.

Step 2 In the pane on the left side of the window, choose the publisher database server.

Step 3 Check the Certificate Authority Proxy Function service check box.

Step 4 Click Update.


Related Topics

CAPF Configuration Checklist

Cisco CallManager Serviceability Administration Guide

Cisco CallManager Serviceability Service Guide

Updating CAPF Service Parameters

If you use Microsoft Certificate Services or Keon Utility to generate certificates, you must update some CAPF service parameters in Cisco CallManager Administration.

The CAPF Service Parameter window also provides information on the number of years that the certificate is valid, the maximum number of times that the system retries to generate the key, the key size, and so on.

Before the CAPF service parameters will display in Cisco CallManager Administration, you must activate the Certificate Authority Proxy Function service, as described in "Activating the Certificate Authority Proxy Function Service" section.

To update the CAPF service parameters, perform the following procedure:

Procedure


Step 1 In Cisco CallManager Administration, choose Service > Service Parameter.

Step 2 From the Server drop-down list box, choose the publisher database server.

Step 3 From the Service drop-down list box, choose the Cisco Certificate Authority Proxy Function service.

Step 4 Update the CAPF service parameters, as described in Table 4-3.

Step 5 For the changes to take effect, restart the Cisco Certificate Authority Proxy Function service.


Related Topics

Certificate Authority Proxy Function Overview

CAPF System Interactions and Requirements

CAPF Configuration Checklist

Activating the Certificate Authority Proxy Function Service

CAPF Service Parameters

CAPF Service Parameters

Use Table 4-3 in conjunction with the "Updating CAPF Service Parameters" section.

Table 4-3 CAPF Service Parameters 

Parameter
Description

Certificate Issuer

From the drop-down list box, choose the entity that will issue the locally significant certificate.

Tip If you update this field, you must use the Cisco CTL client to update the CTL file.

Duration of Certificate Validity (years)

This field specifies the number of years that the locally significant certificate is valid.

A third-party certificate issuer, such as Keon or Microsoft Certificate Services, may have established a different value for this field. The value that these issuers establish does not display in this field. Contact the certificate issuer for more information on the duration of the certificate validity.

Key Size (bits)

This field specifies the key size that CAPF will use to generate the CAPF public and private keys.

Maximum Allowable Time for Key Generation (minutes)

This field specifies the number of minutes during which CAPF attempts to generate the CAPF keys. This parameter also specifies the maximum number of minutes that CAPF waits for a phone to complete the key-generation process.

Maximum Allowable Attempts for Key Generation

This field specifies the maximum number of attempts that CAPF tries to generate the CAPF keys. This parameter also specifies the maximum number of attempts in which the phone can generate the corresponding keys.

Keon Jurisdiction ID

This field specifies the Jurisdiction ID that you use with the Keon Utility.

SCEP Port Number

This field specifies the SCEP port number for the CAPF server.

Certificate Authority Address

Enter the IP address of the server where you installed the Microsoft Certificate Services or Keon Utility.

If you chose the Cisco Certificate Authority Proxy Server from the Certificate Generation Method drop-down list box, you do not need to enter the IP address of the CAPF server.


Related Topics

Certificate Authority Proxy Function Overview

CAPF System Interactions and Requirements

CAPF Configuration Checklist

Activating the Certificate Authority Proxy Function Service

Updating CAPF Service Parameters

Updating CAPF Enterprise Parameters

The enterprise parameters in Table 4-4 support CAPF. To access the parameters in Cisco CallManager Administration, choose System > Enterprise Parameters.


Tip For the changes to take effect, you must reset the phones after you update the parameters.


Table 4-4 CAPF Enterprise Parameters 

Parameter
Description

CAPF Phone Port

This parameter specifies the port that the Cisco Authority Proxy Function service uses to request a certificate from the phone. You must restart the Cisco Authority Proxy Function service for the change to take effect.

CAPF Operation Expires in (days)

This parameter, which affects all phones that use CAPF, specifies the number of days in which you must complete any CAPF operation; for example, troubleshooting, installing/upgrading, or deleting certificates.


Related Topics

Certificate Authority Proxy Function Overview

CAPF System Interactions and Requirements

CAPF Configuration Checklist

Activating the Certificate Authority Proxy Function Service

Updating CAPF Service Parameters

Installing/Upgrading the Locally Significant Certificates

Use Table 4-5 as a reference when you use CAPF.

Perform the following procedure to use the Certificate Authority Proxy Function:

Procedure


Step 1 In Cisco CallManager Administration, choose Device > Phone.

Step 2 Find the phone where you want to install, upgrade, delete, or troubleshoot the certificate. For information on finding a phone, refer to the Cisco CallManager Administration Guide.

Step 3 Enter the configuration settings, as described in Table 4-5.

Step 4 Click Update.

Step 5 Click Reset Phone.

Step 6 If you chose the Install/Upgrade Certificate Operation option and the By Authentication String mode option, you must enter the authentication string on the phone. For information on how to perform this task, see the "Entering the Authentication String on the Phone" section.


Related Topics

Certificate Authority Proxy Function Overview

CAPF System Interactions and Requirements

CAPF Configuration Checklist

CAPF Settings in the Phone Configuration Window

Using CAPF with the Bulk Administration Tool

Entering the Authentication String on the Phone

Deleting the Locally Significant Certificate

CAPF does not delete certificates that Cisco manufacturing installed in the phone. CAPF only deletes certificates that CAPF or the Cisco-approved, third-party certificate authority issued.


Caution If the phone does not contain a manufacture installed certificate (MIC), you must change the device security mode to nonsecure for the phone before you delete the LSC. If you delete the certificate before you change the device security mode, the phone cannot register to Cisco CallManager. For information on changing the device security mode, see the "Configuring the Phones for Security" section.

To delete the certificate from Cisco CallManager Administration instead of from the phone, perform the following procedure:

Procedure


Step 1 In Cisco CallManager Administration, choose Device > Phone.

Step 2 Find the phone where you want to delete the locally significant certificate. For information on how to find a phone that uses CAPF, refer to the Cisco CallManager Administration Guide.

Step 3 From the Certificate Operation drop-down list box, choose the Delete option.

Step 4 Click Update.

Step 5 Click Reset Phone.

Step 6 If you chose the By Authentication String mode, the user must enter the string to revoke the certificate.

Step 7 If you used a Cisco-approved, third-party certificate authority to issue the certificates, verify that the certificate authority revoked the certificate. Contact the third-party certificate authority vendor for information on how to perform this task.

After the certificate authority deletes the certificate from the phone, the Operation Status field in the Phone Configuration window displays Delete Success.


Related Topics

Certificate Authority Proxy Function Overview

CAPF System Interactions and Requirements

Migrating Existing CAPF Data

Activating the Certificate Authority Proxy Function Service

Updating CAPF Service Parameters

CAPF Service Parameters

Installing/Upgrading the Locally Significant Certificates

CAPF Settings in the Phone Configuration Window

Using CAPF with the Bulk Administration Tool

Entering the Authentication String on the Phone

Deleting the Locally Significant Certificate

CAPF Settings in the Phone Configuration Window

Table 4-5 describes the CAPF settings in the Phone Configuration window in Cisco CallManager Administration.

Table 4-5 CAPF Configuration Settings 

Setting
Description

Certificate Operation

From the drop-down list box, choose one of the following options:

No Pending Operation—Displays when no certificate operation is occurring. (default setting)

Install/Upgrade—Installs a new or upgrades an existing locally significant certificate in the phone.

Delete—Deletes the locally significant certificate that exists in the phone.

Troubleshoot—Retrieves the locally significant certificate (LSC) or the manufacture installed certificate (MIC), so you can view the certificate credentials in the CAPF trace file. If both certificate types exist in the phone, Cisco CallManager creates two trace files, one for each certificate type.

By choosing the Troubleshooting option, you can verify that a LSC or MIC exists in the phone.

Authentication Mode

This field allows you to choose the method by which you want the phone to authenticate with CAPF. Use this field if you want to install/upgrade, delete, or troubleshoot a locally significant certificate or authenticate by a manufacture-installed certificate. From the drop-down list box, choose one of the following options:

By Authentication String—Installs/upgrades, deletes, or troubleshoots a locally significant certificate only when the user enters the CAPF authentication string on the phone.

By Null String—Automatically installs/upgrades, deletes, or troubleshoots a locally significant certificate without user intervention.

This option provides no security; Cisco strongly recommends that you choose this option only for closed, secure environments.

By Existing Certificate (Precedence to LSC)—Automatically installs/upgrades, deletes, or troubleshoots a locally significant certificate if a manufacture-installed (MIC) or locally significant certificate (LSC) exists in the phone. If a LSC exists in the phone, authentication occurs via the LSC, regardless whether a MIC exists in the phone. If a MIC and LSC exist in the phone, authentication occurs via the LSC. If a LSC does not exist in the phone but a MIC does exist, authentication occurs via the MIC.

Before you choose this option, verify that a certificate exists in the phone. If you choose this option and no certificate exists in the phone, the operation fails.

At any time, the phone uses only one certificate to authenticate to CAPF even though a MIC and LSC can exist in the phone at the same time. If the primary certificate, which takes precedence, becomes compromised for any reason, or, if you want to authenticate via the other certificate, you must update the authentication mode.

By Existing Certificate (Precedence to MIC)—Automatically installs/upgrades, deletes, or troubleshoots a locally significant certificate if a LSC or MIC exists in the phone. If a MIC exists in the phone, authentication occurs via the MIC, regardless whether a LSC exists in the phone. If a LSC exists in the phone but a MIC does not exist, authentication occurs via the LSC.

Before you choose this option, verify that a certificate exists in the phone. If you choose this option and no certificate exists in the phone, the operation fails.

Authentication String

If you chose the By Authentication String option, this field applies. Manually enter a string or generate a string by clicking the Generate String button. Ensure that the string contains 4 to 10 digits.

To install, upgrade, delete, or troubleshoot a locally significant certificate, the phone user or administrator must enter the authentication string on the phone.

Generate String

If you want CAPF to automatically generate an authentication string, click this button. The 4- to-10 digit authentication string displays in the Authentication String field.

Key Size (bits)

From the drop-down list box, choose the key size for the certificate. The default setting equals 1024. Other options include 512 and 2048.

If you choose a higher key size than the default setting, the phones take longer to generate the entropy that is required to generate the keys.

Operation Completes by

This field, which supports the Install/Upgrade, Delete, and Troubleshoot Certificate Operation options, specifies the date and time by which you must complete the operation.

The values that display apply for the publisher database server.

Operation Status

This field displays the progress of the certificate operation; for example, <operation type> pending, failed, or successful, where operating type equals the Install/Upgrade, Delete, or Troubleshoot Certificate Operation options. You cannot change the information that displays in this field.


Related Topics

Certificate Authority Proxy Function Overview

CAPF System Interactions and Requirements

CAPF Configuration Checklist

Installing/Upgrading the Locally Significant Certificates

Using CAPF with the Bulk Administration Tool

Entering the Authentication String on the Phone

Deleting the Locally Significant Certificate

Using CAPF with the Bulk Administration Tool

If you want to install, upgrade, delete, or troubleshoot many locally significant certificates at the same time, you must use the Cisco Bulk Administration Tool that is compatible with the version of Cisco CallManager that runs in the cluster.

Before you use BAT to install or delete certificates, you must activate the Cisco Certificate Authority Proxy Function service.

Cisco strongly recommends that you install certificates during a scheduled maintenance window because generating certificates may cause call-processing interruptions.

Related Topics

CAPF Configuration Checklist

Activating the Certificate Authority Proxy Function Service

Bulk Administration Tool User Guide

Generating a CAPF Report

In Cisco CallManager Administration, you can generate a CAPF report to view the certificate operation status, to view the authentication strings, or to view the authentication mode for listed devices. After you generate the CAPF report, you can view the report in a CSV file.

To generate a CAPF report, perform the following procedure:

Procedure


Step 1 In Cisco CallManager Administration, choose Device > Device Settings > CAPF Report.

Step 2 To find the devices that you want to display in the report, choose the criteria from the Find/List drop-down list boxes.

Step 3 Click Find.

A list of devices display.

Step 4 To view the CAPF report in a CSV file, click the View the Report in File link in the upper, right corner of the window.

Step 5 If you want to do so, save the CSV file to a secure location and modify as needed.


Related Topics

Certificate Authority Proxy Function Overview

CAPF System Interactions and Requirements

CAPF Configuration Checklist

CAPF Settings in the Phone Configuration Window

Entering the Authentication String on the Phone

Finding Phones by Choosing the LSC Status

For information on how to find and list phones by choosing the LSC Status, see the "Finding Phones for Authentication, Encryption, and LSC Status" section.

Related Topics

CAPF Configuration Checklist

Troubleshooting

Entering the Authentication String on the Phone

If you chose the By Authentication String mode and generated an authentication string in Cisco CallManager, you must enter the authentication string on the phone before the locally significant certificate installation occurs.


Tip The phone user can perform the following procedure to install the certificate. The authentication string applies for one-time use only.


Before You Begin

Verify that the CAPF certificate exists in the CTL file.

Verify that the CAPF certificate exists in the certificate folder on the Cisco CallManager server; on the server, browse to C:\Program Files\Cisco\Certificates.

Verify that you activated the Cisco Certificate Authority Proxy Function service, as described in "Activating the Certificate Authority Proxy Function Service" section.

Verify that the publisher database server is functional and running. Ensure that the server runs for each certificate installation.

Verify that a signed image exists on the phone; refer to the Cisco IP Phone administration documentation that supports your phone model.

Obtain the authentication string that displays in the Phone Configuration window or in the CAPF Report window.

Procedure


Step 1 For the device, obtain the CAPF authentication string from the Phone Configuration window or the CAPF Report window.

Step 2 Verify that the device registers with Cisco CallManager.

Step 3 Verify that the device security mode equals Nonsecure.

Step 4 On nonsecure Cisco IP Phone models 7970, 7960, or 7940, press the Settings button.

Step 5 On the Settings menu, scroll to the Security Configuration option; press the Select softkey.


Tip If the phone menu is locked, press **# to unlock the menu.


Step 6 Scroll to the LSC option; press the Update softkey.

Step 7 Enter the 4 to 10 digit authentication string for the phone and press Submit.


Tip If you need to change the authentication string before you press Submit, press <<.


The phone installs, updates, deletes, or fetches the certificate, depending on the current CAPF configuration.

Monitor the progress of the certificate operation by viewing the messages that display on the phone. After you press Submit, the message, Pending, displays under the LSC option. The phone generates the public key and private key pair and displays the information on the phone. When the phone successfully completes the process, the phone displays a successful message. If the phone displays a failure message, you entered the wrong authentication string or did not enable the phone for upgrade; see the "Troubleshooting" section.

At any time, you can stop the process by choosing the Stop option.

You can verify that the certificate installed on the phone by choosing Settings > Model Information and viewing the LSC setting, which indicates Installed or Not Installed.


Related Topics

CAPF Configuration Checklist

CAPF Settings in the Phone Configuration Window

Using CAPF with the Bulk Administration Tool

Entering the Authentication String on the Phone

Deleting the Locally Significant Certificate

Cisco IP Phone Administration Guide for Cisco CallManager, Cisco IP Phone Models 7960G and 7940G