Cisco Unified CallManager Security Guide, Release 4.2(1)
Using the Certificate Authority Proxy Function
Downloads: This chapterpdf (PDF - 293.0KB) The complete bookPDF (PDF - 1.85MB) | Feedback

Using the Certificate Authority Proxy Function

Table Of Contents

Using the Certificate Authority Proxy Function

Certificate Authority Proxy Function Overview

Cisco IP Phone and CAPF Interaction

CAPF System Interactions and Requirements

Configuring CAPF in Cisco CallManager Serviceability

Migrating Existing CAPF Data

CAPF Configuration Checklist

Copying CAPF 1.0(1) Data from a 4.0 Subscriber Server to the 4.0 Publisher Database Server

Activating the Certificate Authority Proxy Function Service

Updating CAPF Service Parameters

Updating CAPF Enterprise Parameters

Installing/Upgrading the Locally Significant Certificates

Deleting the Locally Significant Certificate

CAPF Settings in the Phone Configuration Window

Using CAPF with the Bulk Administration Tool

Generating a CAPF Report

Finding Phones by Choosing the LSC Status

Entering the Authentication String on the Phone


Using the Certificate Authority Proxy Function


This chapter provides information on the following topics:

Certificate Authority Proxy Function Overview

Cisco IP Phone and CAPF Interaction

CAPF System Interactions and Requirements

Migrating Existing CAPF Data

Configuring CAPF in Cisco CallManager Serviceability

CAPF Configuration Checklist

Copying CAPF 1.0(1) Data from a 4.0 Subscriber Server to the 4.0 Publisher Database Server

Activating the Certificate Authority Proxy Function Service

Updating CAPF Service Parameters

Updating CAPF Enterprise Parameters

Installing/Upgrading the Locally Significant Certificates

Deleting the Locally Significant Certificate

CAPF Settings in the Phone Configuration Window

Using CAPF with the Bulk Administration Tool

Generating a CAPF Report

Finding Phones by Choosing the LSC Status

Entering the Authentication String on the Phone

Certificate Authority Proxy Function Overview

Certificate Authority Proxy Function (CAPF), which automatically installs with Cisco CallManager, performs the following tasks, depending on your configuration:

Issue locally significant certificates to supported Cisco IP Phone models.

Using SCEP, request certificates from third-party certificate authorities on behalf of supported Cisco IP Phone models.

Upgrade existing locally significant certificates on the phones.

Retrieve phone certificates for viewing and troubleshooting.

Delete locally significant certificates on the phone.

Authenticate via the manufacture-installed certificate

After you activate the Cisco Certificate Authority Proxy Function service, CAPF automatically generates a key pair and certificate that is specific for CAPF. The CAPF certificate, which the Cisco CTL Client copies to all servers in the cluster, uses the .0 extension. To verify that the CAPF certificate exists, browse to C:\Program Files\Cisco\Certificates on each server and locate the following files:

In DER encoded format—CAPF.cer

In PEM encoded format—.0 extension file that contains the same common name string as the CAPF.cer

Related Topics

CAPF System Interactions and Requirements

CAPF Configuration Checklist

Cisco IP Phone and CAPF Interaction

When the phone interacts with CAPF, the phone generates its public key and private key pair and then forwards its public key to the CAPF server in a signed and encrypted message. The private key remains in the phone and is never exposed externally. Depending on the configuration in Cisco CallManager Administration, CAPF may sign the phone certificate or may act as a SCEP protocol proxy to the third-party, Cisco-approved CA server to sign the phone certificate. CAPF then sends the certificate back to the phone in a signed and encrypted message.

The following information applies when a communication or power failure occurs.

If a communication failure occurs while the certificate installation is taking place on the phone, the phone will attempt to obtain the certificate three more times in 30-second intervals. You cannot configure these values.

If a power failure occurs while the phone attempts a session with CAPF, the phone will use the authentication mode that is stored in flash; that is, if the phone cannot load the new configuration file from the TFTP server after the phone reboots. After the certificate operation completes, the system clears the value in flash.


Tip Be aware that the phone user can abort the certificate operation or view the operation status on the phone.



Tip Key generation, which is set at low priority, allows the phone to function while the action occurs. You may notice that key generation takes up to 30 or more minutes to complete.

Although the phone functions during certification generation, additional TLS traffic may cause minimal call-processing interruptions with the phone; for example, audio glitches may occur when the certificate is written to flash at the end of the installation.

If you choose a 2048-bit key for the certificate, establishing a connection between the phone, Cisco CallManager, and secure SRST-enabled gateway during phone boot-up and failover may take more than 60 seconds. Unless you want the highest possible security level, do not configure the 2048-bit key.


Consider the following information about how CAPF interacts with the Cisco IP Phone 7960 and 7940 when the phone is reset by a user or by Cisco CallManager.

In the following examples, if the LSC does not already exist in the phone and if By Existing Certificate is chosen for the CAPF Authentication Mode, the CAPF certificate operation fails.

Example —Nonsecure Device Security Mode

In this example, the phone resets after you configure the Device Security Mode to nonsecure and the CAPF Authentication Mode to By Null String or By Existing Certificate (Precedence...). After the phone resets, it immediately registers with the primary Cisco CallManager and receives the configuration file. The phone then automatically initiates a session with CAPF to download the LSC. After the phone installs the LSC, configure the Device Support Mode to Authenticated or Encrypted.

Example—Authenticated/Encrypted Device Security Mode

In this example, the phone resets after you configure the Device Security Mode to authenticated or encrypted and the CAPF Authentication Mode to By Null String or By Existing Certificate (Precedence...). The phone does not register with the primary Cisco CallManager until the CAPF session ends and the phone installs the LSC. After the session ends, the phone registers and immediately runs in authenticated or encrypted mode.

You cannot configure By Authentication String in this example because the phone does not automatically contact the CAPF server; the registration fails if the phone does not have a valid LSC.

Related Topics

CAPF System Interactions and Requirements

CAPF Configuration Checklist

Cisco IP Phone Administration Guide for Cisco CallManager

CAPF System Interactions and Requirements

The following requirements exist for CAPF:

Before you upgrade to Cisco CallManager 4.1, review the following sections:

Migrating Existing CAPF Data

Copying CAPF 1.0(1) Data from a 4.0 Subscriber Server to the 4.0 Publisher Database Server

Before you use CAPF, ensure that you performed all necessary tasks to install and configure the Cisco CTL client. To use CAPF, you must activate the Cisco Certificate Authority Proxy Function service on the publisher database server.

Cisco strongly recommends that you use CAPF during a scheduled maintenance window because generating many certificates at the same time may cause call-processing interruptions.

All servers in the Cisco CallManager 4.1 cluster must use the same administrator username and password, so CAPF can authenticate to all servers in the cluster.

Ensure that the publisher database server is functional and running during the entire certificate operation.

Ensure that the phone is functional during the entire certificate operation.

If you want to do so, you can use the Microsoft Certificate Services with CAPF if the Microsoft Certificate Services software runs on a Windows 2003 server. For information on how to use this software or for troubleshooting support, contact the certificate authority vendor directly.

If CAPF will request certificates from Microsoft Certificate Services, you must enter the necessary configuration information, for example, the IP address or hostname, for this certificate authority in the applicable CAPF service parameter.

If you plan to use Microsoft Certificate Services, you must install the SCEP addon on the server where you install Microsoft Certificate Services. To obtain the SCEP addon, contact the certificate authority vendor directly.


Tip Third-party certificate authorities may enforce certificate-issuing policies that override the CAPF settings that you configure in Cisco CallManager Administration. Before you use a third-party certificate authority (CA) with CAPF, review the certificate authority vendor documentation to ensure that no limitations exist that may affect the ability to issue certificates.


If you want to do so, you can use Keon Utility to generate certificates for CAPF. You must enter the necessary configuration information, for example, the IP address or hostname, for this certificate authority in the applicable CAPF service parameter. You must also provide the Keon Jurisdiction ID in the appropriate service parameter field.

For information on how to use the Keon software or for troubleshooting support, contact the certificate authority vendor directly.

To use the Keon Utility or Microsoft Certificate Services with CAPF, you must define the following Object IDs. For information on how to use the following settings, refer to the certificate authority vendor documentation.

(1.3.6.1.5.5.7.3.1) Server SSL/TLS authentication

(1.3.5.1.5.5.7.3.2) Client SSL/TLS authentication

(1.3.6.1.5.5.7.3.5) IPSec end system authentication


Tip Cisco IP Telephony Backup and Restore System (BARS) backs up the CAPF data and reports because Cisco CallManager stores the information in the Cisco CallManager database.


Related Topics

Certificate Authority Proxy Function Overview

CAPF System Interactions and Requirements

Migrating Existing CAPF Data

CAPF Configuration Checklist

Configuring CAPF in Cisco CallManager Serviceability

You perform the following tasks in Cisco CallManager Serviceability:

Activate the Cisco Certificate Authority Proxy Function service.

Configure trace settings for CAPF.

Related Topics

Cisco CallManager Serviceability Administration Guide

Cisco CallManager Serviceability System Guide

Migrating Existing CAPF Data


Caution Failing to perform the tasks that are described in this section may cause a loss of CAPF data. Use the following information in conjunction with the "CAPF Configuration Checklist" section and the "Copying CAPF 1.0(1) Data from a 4.0 Subscriber Server to the 4.0 Publisher Database Server" section.

Review the following details before you install or overwrite a locally significant certificate:

Upgrades from Cisco CallManager 4.0 where CAPF was installed on the Cisco CallManager 4.0 publisher database server—If you performed certificate operations with Cisco CallManager 4.0 and CAPF 1.0(1) ran on the publisher database server, the latest operation status migrates to the Cisco CallManager 4.1 database.

Upgrades from Cisco CallManager where CAPF was installed on a Cisco CallManager 4.0 subscriber server—If you performed certificate operations with Cisco CallManager 4.0 and CAPF 1.0(1) ran on a subscriber server, you must copy the CAPF data to the 4.0 publisher database server before you upgrade the cluster to a version of Cisco CallManager 4.1.


Caution If you fail to copy the data prior to Cisco CallManager 4.0 to 4.1 upgrade, the CAPF data on the Cisco CallManager 4.0 subscriber server does not migrate to the Cisco CallManager 4.1 database, and a loss of data may occur. If a loss of data occurs, the locally significant certificates that you issued with CAPF utility 1.0(1) remain in the phones. CAPF 4.1(3) must reissue the certificate, which is not valid.

Upgrades from one release of Cisco CallManager 4.1(x) to a later release of Cisco CallManager 4.1(x)—The upgrade automatically migrates the CAPF data.

Related Topics

Certificate Authority Proxy Function Overview

CAPF System Interactions and Requirements

CAPF Configuration Checklist

Copying CAPF 1.0(1) Data from a 4.0 Subscriber Server to the 4.0 Publisher Database Server

CAPF Configuration Checklist

Table 4-1 provides a list of tasks that you perform to install, upgrade, delete or troubleshoot locally significant certificates.

Table 4-1 CAPF Configuration Checklist 

Configuration Steps
Related Procedures and Topics

Step 1 

Determine whether a locally significant certificate exists in the phone.

Determine whether you need to copy CAP 1.0(1) data to the Cisco CallManager 4.1(3) publisher database server.

Verifying That a Manufacture-Installed Certificate (MIC) Exists in the Phone, page 9-40

Verifying That a Locally Significant Certificate Exists on the Phone, page 9-39

Migrating Existing CAPF Data

Copying CAPF 1.0(1) Data from a 4.0 Subscriber Server to the 4.0 Publisher Database Server

Step 2 

If you used the CAPF utility with Cisco CallManager 4.0 and verified that the CAPF data exists in the Cisco CallManager 4.1 database, delete the CAPF utility that you used with Cisco CallManager 4.0.

Choose Settings > Control Panel. Double-click Add/Remove Programs and locate the utility. Remove the utility.

Step 3 

Verify that the Cisco Certificate Authority Proxy Function service is running.

Tip This service must run during all CAPF operations. It must also run for the Cisco CTL client to include the CAPF certificate in the CTL file.

Activating the Certificate Authority Proxy Function Service

Step 4 

Verify that you performed all necessary tasks to install and configure the Cisco CTL client. Ensure that the CAPF certificate exists in the Cisco CTL file.

Configuring the Cisco CTL Client, page 3-11

Step 5 

If necessary, update CAPF service parameters.

Updating CAPF Service Parameters

Step 6 

To install, upgrade, delete, or troubleshoot locally significant certificates in the phone, use Cisco CallManager Administration or BAT.

Installing/Upgrading the Locally Significant Certificates

CAPF Settings in the Phone Configuration Window

Using CAPF with the Bulk Administration Tool

Step 7 

To view a list of devices that use CAPF, generate a CAPF report in Cisco CallManager Administration.

Generating a CAPF Report

Step 8 

If you chose the authentication string option for the Authentication Mode, enter the authentication string on the phone.

Entering the Authentication String on the Phone

Step 9 

Verify that the certificate operation succeeded as planned.

Verifying That a Locally Significant Certificate Exists on the Phone, page 9-39

Verifying That a Manufacture-Installed Certificate (MIC) Exists in the Phone, page 9-40

Copying CAPF 1.0(1) Data from a 4.0 Subscriber Server to the 4.0 Publisher Database Server


Caution If you installed CAPF utility 1.0(1) on a Cisco CallManager 4.0 subscriber server, you must copy the CAPF data to the 4.0 publisher database server before you upgrade to Cisco CallManager 4.1. Failing to perform this task causes a loss of CAPF data; for example, you may lose the phone record files in C:\Program Files\Cisco\CAPF\CAPF.phone. If a loss of data occurs, the locally significant certificates that you issued with CAPF utility 1.0(1) remain in the phones; CAPF 4.1(3) must reissue the certificates, which are not valid.

Use the following procedure in conjunction with the "Migrating Existing CAPF Data" section. To copy the files, perform the following procedure:

Procedure


Step 1 Copy the files in Table 4-2 from the machine where CAPF 1.0 is installed to the publisher database server where Cisco CallManager 4.0 is installed:

Table 4-2 Copy From Server to Server

Files to Copy
From Machine Where CAPF 1.0 Is Installed
To Publisher Database Server Where Cisco CallManager 4.0 Is Installed

*.0

in C:\Program Files\Cisco\CAPF

to C:\Program Files\Cisco\Certificates

CAPF.phone

in C:\Program Files\Cisco\CAPF

to C:\Program Files\Cisco\CAPF

CAPF.config files

in C:\Program Files\Cisco\CAPF

to C:\Program Files\Cisco\CAPF


Step 2 Upgrade every server in the cluster to Cisco CallManager 4.1.

Step 3 After you upgrade the cluster to Cisco CallManager 4.1, upgrade the Cisco CTL client, and run it before you use the phones. The Cisco CTL client will copy the CAPF certificate to all the servers in the cluster.

Step 4 Uninstall the CAPF utility that you used with Cisco CallManager 4.0. See Table 4-1.

Step 5 See the "Generating a New CAPF Certificate" section on page 9-40.


Related Topics

Certificate Authority Proxy Function Overview

CAPF System Interactions and Requirements

Migrating Existing CAPF Data

CAPF Configuration Checklist

Activating the Certificate Authority Proxy Function Service

Cisco CallManager 4.1 does not automatically activate the Certificate Authority Proxy Function service in Cisco CallManager Serviceability.

Activate this service only on the publisher database server. If you did not activate this service before you installed and configured the Cisco CTL client, you must update the CTL file, as described in the "Updating the CTL File" section on page 3-16.

To activate the service, perform the following procedure:

Procedure


Step 1 In Cisco CallManager Serviceability, choose Tools > Service Activation.

Step 2 In the pane on the left side of the window, choose the publisher database server.

Step 3 Check the Certificate Authority Proxy Function service check box.

Step 4 Click Update.


Related Topics

CAPF Configuration Checklist

Cisco CallManager Serviceability Administration Guide

Cisco CallManager Serviceability Service Guide

Updating CAPF Service Parameters

If you use Microsoft Certificate Services or Keon Utility to generate certificates, you must update some CAPF service parameters in Cisco CallManager Administration.

The CAPF Service Parameter window also provides information on the number of years that the certificate is valid, the maximum number of times that the system retries to generate the key, the key size, and so on.

Before the CAPF service parameters will display in Cisco CallManager Administration, you must activate the Certificate Authority Proxy Function service, as described in "Activating the Certificate Authority Proxy Function Service" section.

To update the CAPF service parameters, perform the following procedure:

Procedure


Step 1 In Cisco CallManager Administration, choose Service > Service Parameter.

Step 2 From the Server drop-down list box, choose the publisher database server.

Step 3 From the Service drop-down list box, choose the Cisco Certificate Authority Proxy Function service.

Step 4 Update the CAPF service parameters. Click the i button in the Service Parameter window to display descriptions for the following service parameters:

Certificate Issuer

Duration of Certificate Validity (years)

Key Size (bits)

Maximum Allowable Time for Key Generation (minutes)

Maximum Allowable Attempts for Key Generation

Keon Jurisdiction ID

SCEP Port Number

Certificate Authority Address

Step 5 For the changes to take effect, restart the Cisco Certificate Authority Proxy Function service.


Related Topics

Certificate Authority Proxy Function Overview

CAPF System Interactions and Requirements

CAPF Configuration Checklist

Activating the Certificate Authority Proxy Function Service

Updating CAPF Enterprise Parameters

The following enterprise parameters support CAPF.

CAPF Phone Port

CAPF Operation Expires in (days)


Tip To access the parameters in Cisco CallManager Administration, choose System > Enterprise Parameters. To display a description for the parameters, click the i button that displays in the Enterprise Parameters window. For changes to take effect, you must reset the phones after you update the parameters.


Related Topics

Certificate Authority Proxy Function Overview

CAPF System Interactions and Requirements

CAPF Configuration Checklist

Activating the Certificate Authority Proxy Function Service

Updating CAPF Service Parameters

Installing/Upgrading the Locally Significant Certificates

Use Table 4-3 as a reference when you use CAPF.

Perform the following procedure to use the Certificate Authority Proxy Function:

Procedure


Step 1 In Cisco CallManager Administration, choose Device > Phone.

Step 2 Find the phone where you want to install, upgrade, delete, or troubleshoot the certificate. For information on finding a phone, refer to the Cisco CallManager Administration Guide.

Step 3 Enter the configuration settings, as described in Table 4-3.

Step 4 Click Update.

Step 5 Click Reset Phone.

Step 6 If you chose the Install/Upgrade Certificate Operation option and the By Authentication String mode option, you must enter the authentication string on the phone. For information on how to perform this task, see the "Entering the Authentication String on the Phone" section.


Related Topics

Certificate Authority Proxy Function Overview

CAPF System Interactions and Requirements

CAPF Configuration Checklist

CAPF Settings in the Phone Configuration Window

Using CAPF with the Bulk Administration Tool

Entering the Authentication String on the Phone

Deleting the Locally Significant Certificate

CAPF does not delete certificates that Cisco manufacturing installed in the phone. CAPF only deletes certificates that CAPF or the Cisco-approved, third-party certificate authority issued.


Caution If the phone does not contain a manufacture- installed certificate (MIC), you must change the device security mode to nonsecure for the phone before you delete the LSC. If you delete the certificate before you change the device security mode, the phone cannot register to Cisco CallManager. For information on changing the device security mode, see the "Configuring the Phones for Security" section on page 5-1.

To delete the certificate from Cisco CallManager Administration instead of from the phone, perform the following procedure:

Procedure


Step 1 In Cisco CallManager Administration, choose Device > Phone.

Step 2 Find the phone where you want to delete the locally significant certificate. For information on how to find a phone that uses CAPF, refer to the Cisco CallManager Administration Guide.

Step 3 From the Certificate Operation drop-down list box, choose the Delete option.

Step 4 Click Update.

Step 5 Click Reset Phone.

Step 6 If you chose the By Authentication String mode, the user must enter the string to revoke the certificate.

Step 7 If you used a Cisco-approved, third-party certificate authority to issue the certificates, verify that the certificate authority revoked the certificate. Contact the third-party certificate authority vendor for information on how to perform this task.

After the certificate authority deletes the certificate from the phone, the Operation Status field in the Phone Configuration window displays Delete Success.


Related Topics

Certificate Authority Proxy Function Overview

CAPF System Interactions and Requirements

Migrating Existing CAPF Data

Activating the Certificate Authority Proxy Function Service

Updating CAPF Service Parameters

Installing/Upgrading the Locally Significant Certificates

CAPF Settings in the Phone Configuration Window

Using CAPF with the Bulk Administration Tool

Entering the Authentication String on the Phone

Deleting the Locally Significant Certificate

CAPF Settings in the Phone Configuration Window

Table 4-3 describes the CAPF settings in the Phone Configuration window in Cisco CallManager Administration.

Table 4-3 CAPF Configuration Settings 

Setting
Description

Certificate Operation

From the drop-down list box, choose one of the following options:

No Pending Operation—Displays when no certificate operation is scheduled. (default setting)

Install/Upgrade—Installs a new or upgrades an existing locally significant certificate in the phone.

Delete—Deletes the locally significant certificate that exists in the phone.

Troubleshoot—Retrieves the locally significant certificate (LSC) or the manufacture-installed certificate (MIC), so you can view the certificate credentials in the CAPF trace file. If both certificate types exist in the phone, Cisco CallManager creates two trace files, one for each certificate type.

By choosing the Troubleshoot option, you can verify that a LSC or MIC exists in the phone.

Tip The Delete and Troubleshoot options do not display if a certificate does not exist in the phone.

Authentication Mode

This field allows you to choose the method by which you want the phone to authenticate with CAPF. Use this field if you want to install/upgrade, delete, or troubleshoot a locally significant certificate or authenticate by a manufacture-installed certificate. From the drop-down list box, choose one of the following options:

By Authentication String—Installs/upgrades, deletes, or troubleshoots a locally significant certificate only when the user enters the CAPF authentication string on the phone.

By Null String—Automatically installs/upgrades, deletes, or troubleshoots a locally significant certificate without user intervention.

This option provides no security; Cisco strongly recommends that you choose this option only for closed, secure environments.

By Existing Certificate (Precedence to LSC)—Automatically installs/upgrades, deletes, or troubleshoots a locally significant certificate if a manufacture-installed (MIC) or locally significant certificate (LSC) exists in the phone. If a LSC exists in the phone, authentication occurs via the LSC, regardless whether a MIC exists in the phone. If a MIC and LSC exist in the phone, authentication occurs via the LSC. If a LSC does not exist in the phone but a MIC does exist, authentication occurs via the MIC.

Before you choose this option, verify that a certificate exists in the phone. If you choose this option and no certificate exists in the phone, the operation fails.

At any time, the phone uses only one certificate to authenticate to CAPF even though a MIC and LSC can exist in the phone at the same time. If the primary certificate, which takes precedence, becomes compromised for any reason, or, if you want to authenticate via the other certificate, you must update the authentication mode.

By Existing Certificate (Precedence to MIC)—Automatically installs/upgrades, deletes, or troubleshoots a locally significant certificate if a LSC or MIC exists in the phone. If a MIC exists in the phone, authentication occurs via the MIC, regardless whether a LSC exists in the phone. If a LSC exists in the phone but a MIC does not exist, authentication occurs via the LSC.

Before you choose this option, verify that a certificate exists in the phone. If you choose this option and no certificate exists in the phone, the operation fails.

Authentication String

If you chose the By Authentication String option, this field applies. Manually enter a string or generate a string by clicking the Generate String button. Ensure that the string contains 4 to 10 digits.

To install, upgrade, delete, or troubleshoot a locally significant certificate, the phone user or administrator must enter the authentication string on the phone.

Generate String

If you want CAPF to automatically generate an authentication string, click this button. The 4- to-10 digit authentication string displays in the Authentication String field.

Key Size (bits)

From the drop-down list box, choose the key size for the certificate. The default setting equals 1024. Other options include 512 and 2048.

If you choose a higher key size than the default setting, the phones take longer to generate the entropy that is required to generate the keys. Key generation, which is set at low priority, allows the phone to function while the action occurs. Depending on the phone model, you may notice that key generation takes up to 30 or more minutes to complete.

Operation Completes by

This field, which supports the Install/Upgrade, Delete, and Troubleshoot Certificate Operation options, specifies the date and time by which you must complete the operation.

The values that display apply for the publisher database server.

Operation Status

This field displays the progress of the certificate operation; for example, <operation type> pending, failed, or successful, where operating type equals the Install/Upgrade, Delete, or Troubleshoot Certificate Operation options. You cannot change the information that displays in this field.


Related Topics

Certificate Authority Proxy Function Overview

CAPF System Interactions and Requirements

CAPF Configuration Checklist

Installing/Upgrading the Locally Significant Certificates

Using CAPF with the Bulk Administration Tool

Entering the Authentication String on the Phone

Deleting the Locally Significant Certificate

Using CAPF with the Bulk Administration Tool

If you want to install, upgrade, delete, or troubleshoot many locally significant certificates at the same time, you must use the Cisco Bulk Administration Tool that is compatible with the version of Cisco CallManager that runs in the cluster.

Before you use BAT to install or delete certificates, you must activate the Cisco Certificate Authority Proxy Function service.

Cisco strongly recommends that you install certificates during a scheduled maintenance window because generating certificates may cause call-processing interruptions.

Related Topics

CAPF Configuration Checklist

Activating the Certificate Authority Proxy Function Service

Bulk Administration Tool User Guide

Generating a CAPF Report

In Cisco CallManager Administration, you can generate a CAPF report to view the certificate operation status, to view the authentication strings, or to view the authentication mode for listed devices. After you generate the CAPF report, you can view the report in a CSV file.

To generate a CAPF report, perform the following procedure:

Procedure


Step 1 In Cisco CallManager Administration, choose Device > Device Settings > CAPF Report.

Step 2 To find the devices that you want to display in the report, choose the criteria from the Find/List drop-down list boxes.

Step 3 Click Find.

A list of devices display.

Step 4 To view the CAPF report in a CSV file, click the View the Report in File link in the upper, right corner of the window.

Step 5 If you want to do so, save the CSV file to a secure location and modify as needed.


Related Topics

Certificate Authority Proxy Function Overview

CAPF System Interactions and Requirements

CAPF Configuration Checklist

CAPF Settings in the Phone Configuration Window

Entering the Authentication String on the Phone

Finding Phones by Choosing the LSC Status

For information on how to find and list phones by choosing the LSC Status, see the "Finding Phones for Authentication, Encryption, and LSC Status" section on page 5-11.

Related Topics

CAPF Configuration Checklist

Troubleshooting, page 9-1

Entering the Authentication String on the Phone

If you chose the By Authentication String mode and generated an authentication string in Cisco CallManager, you must enter the authentication string on the phone before the locally significant certificate installation occurs.


Tip The phone user can perform the following procedure to install the certificate. The authentication string applies for one-time use only.


Before You Begin

Verify that the CAPF certificate exists in the CTL file.

Verify that the CAPF certificate exists in the certificate folder on the Cisco CallManager server; on the server, browse to C:\Program Files\Cisco\Certificates.

Verify that you activated the Cisco Certificate Authority Proxy Function service, as described in "Activating the Certificate Authority Proxy Function Service" section.

Verify that the publisher database server is functional and running. Ensure that the server runs for each certificate installation.

Verify that a signed image exists on the phone; refer to the Cisco IP Phone administration documentation that supports your phone model.

Obtain the authentication string that displays in the Phone Configuration window or in the CAPF Report window.

Procedure


Step 1 For the device, obtain the CAPF authentication string from the Phone Configuration window or the CAPF Report window.

Step 2 Verify that the device registers with Cisco CallManager.

Step 3 Verify that the device security mode equals Nonsecure.

Step 4 On nonsecure Cisco IP Phone models 7970, 7960, or 7940, press the Settings button.

Step 5 On the Settings menu, scroll to the Security Configuration option; press the Select softkey.


Tip If the phone menu is locked, unlock the menu, as described in the phone documentation.


Step 6 Scroll to the LSC option; press the Update softkey.

Step 7 Enter the 4 to 10 digit authentication string for the phone and press Submit.


Tip If you need to change the authentication string before you press Submit, press <<.


The phone installs, updates, deletes, or fetches the certificate, depending on the current CAPF configuration.

Monitor the progress of the certificate operation by viewing the messages that display on the phone. After you press Submit, the message, Pending, displays under the LSC option. The phone generates the public key and private key pair and displays the information on the phone. When the phone successfully completes the process, the phone displays a successful message. If the phone displays a failure message, you entered the wrong authentication string or did not enable the phone for upgrade; see the "Troubleshooting" section on page 9-1.

At any time, you can stop the process by choosing the Stop option.

You can verify that the certificate installed on the phone by choosing Settings > Model Information and viewing the LSC setting, which indicates Installed or Not Installed.


Related Topics

CAPF Configuration Checklist

CAPF Settings in the Phone Configuration Window

Using CAPF with the Bulk Administration Tool

Entering the Authentication String on the Phone

Deleting the Locally Significant Certificate

Cisco IP Phone Administration Guide for Cisco CallManager, Cisco IP Phone Models 7960G and 7940G