Table Of Contents
Using the Certificate Authority Proxy Function
Certificate Authority Proxy Function Overview
Cisco IP Phone and CAPF Interaction
CAPF System Interactions and Requirements
Configuring CAPF in Cisco CallManager Serviceability
Migrating Existing CAPF Data
CAPF Configuration Checklist
Copying CAPF 1.0(1) Data From a 4.0 Subscriber Server to the 4.0 Publisher Database Server
Activating the Certificate Authority Proxy Function Service
Updating CAPF Service Parameters
CAPF Service Parameters
Updating CAPF Enterprise Parameters
Installing/Upgrading the Locally Significant Certificates
Deleting the Locally Significant Certificate
CAPF Settings in the Phone Configuration Window
Using CAPF with the Bulk Administration Tool
Generating a CAPF Report
Finding Phones by Choosing the LSC Status
Entering the Authentication String on the Phone
Using the Certificate Authority Proxy Function
This chapter provides information on the following topics:
•
Certificate Authority Proxy Function Overview
•Cisco IP Phone and CAPF Interaction
•CAPF System Interactions and Requirements
•Migrating Existing CAPF Data
•Configuring CAPF in Cisco CallManager Serviceability
•CAPF Configuration Checklist
•Copying CAPF 1.0(1) Data From a 4.0 Subscriber Server to the 4.0 Publisher Database Server
•Activating the Certificate Authority Proxy Function Service
•Updating CAPF Service Parameters
•Updating CAPF Enterprise Parameters
•CAPF Service Parameters
•Installing/Upgrading the Locally Significant Certificates
•Deleting the Locally Significant Certificate
•CAPF Settings in the Phone Configuration Window
•Using CAPF with the Bulk Administration Tool
•Generating a CAPF Report
•Finding Phones by Choosing the LSC Status
•Entering the Authentication String on the Phone
Certificate Authority Proxy Function Overview
Certificate Authority Proxy Function (CAPF), which automatically installs with Cisco CallManager, performs the following tasks, depending on your configuration:
•Issue locally significant certificates to supported Cisco IP Phone models.
•Using SCEP, request certificates from third-party certificate authorities on behalf of supported Cisco IP Phone models.
•Upgrade existing locally significant certificates on the phones.
•Retrieve phone certificates for viewing and troubleshooting.
•Delete locally significant certificates on the phone.
•Authenticate via the manufacture-installed certificate
After you activate the Cisco Certificate Authority Proxy Function service, CAPF automatically generates a key pair and certificate that is specific for CAPF. The CAPF certificate, which the Cisco CTL Client copies to all servers in the cluster, uses the .0 extension. To verify that the CAPF certificate exists, browse to C:\Program Files\Cisco\Certificates on each server and locate the following files:
•In DER encoded format—CAPF.cer
•In PEM encoded format—.0 extension file that contains the same common name string as the CAPF.cer
Related Topics
•CAPF System Interactions and Requirements
•CAPF Configuration Checklist
Cisco IP Phone and CAPF Interaction
When the phone interacts with CAPF, the phone generates its public key and private key pair and then forwards its public key to the CAPF server in a signed message. The private key remains in the phone and is never exposed externally. Depending on the configuration in Cisco CallManager Administration, CAPF may sign the phone certificate or may act as a SCEP protocol proxy to the third-party, Cisco-approved CA server to sign the phone certificate. CAPF then sends the certificate back to the phone in a signed message.
The following information applies when a communication or power failure occurs.
If a communication failure occurs while the certificate installation is taking place on the phone, the phone will attempt to obtain the certificate three more times in 30-second intervals. You cannot configure these values.
If a power failure occurs while the phone attempts a session with CAPF, the phone will use the authentication mode that is stored in flash; that is, if the phone cannot load the new configuration file from the TFTP server after the phone reboots. After the certificate operation completes, the system clears the value in flash.
Tip Be aware that the phone user can abort the certificate operation or view the operation status on the phone.
Related Topics
•CAPF System Interactions and Requirements
•CAPF Configuration Checklist
•Cisco IP Phone Administration Guide for Cisco CallManager
CAPF System Interactions and Requirements
The following requirements exist for CAPF:
•Before you upgrade to Cisco CallManager 4.1, review the following sections:
–Migrating Existing CAPF Data
–Copying CAPF 1.0(1) Data From a 4.0 Subscriber Server to the 4.0 Publisher Database Server
•Before you use CAPF, ensure that you performed all necessary tasks to install and configure the Cisco CTL client. To use CAPF, you must activate the Cisco Certificate Authority Proxy Function service on the publisher database server.
•Cisco strongly recommends that you use CAPF during a scheduled maintenance window because generating many certificates at the same time may cause call-processing interruptions.
•All servers in the Cisco CallManager 4.1 cluster must use the same administrator username and password, so CAPF can authenticate to all servers in the cluster.
•Ensure that the publisher database server is functional and running during the entire certificate operation.
•Ensure that the phone is functional during the entire certificate operation.
•If you want to do so, you can use the Microsoft Certificate Services with CAPF if the Microsoft Certificate Services software runs on a Windows 2003 server. For information on how to use this software or for troubleshooting support, contact the certificate authority vendor directly.
If CAPF will request certificates from Microsoft Certificate Services, you must enter the necessary configuration information, for example, the IP address or hostname, for this certificate authority in the applicable CAPF service parameter.
If you plan to use Microsoft Certificate Services, you must install the SCEP addon on the server where you install Microsoft Certificate Services. To obtain the SCEP addon, contact the certificate authority vendor directly.
Tip Before you use a third-party certificate authority (CA) with CAPF, review the certificate authority vendor documentation to ensure that no limitations exist that may affect the ability to issue certificates.
•If you want to do so, you can use Keon Utility to generate certificates for CAPF. You must enter the necessary configuration information, for example, the IP address or hostname, for this certificate authority in the applicable CAPF service parameter. You must also provide the Keon Jurisdiction ID in the appropriate service parameter field.
For information on how to use the Keon software or for troubleshooting support, contact the certificate authority vendor directly.
•To use the Keon Utility or Microsoft Certificate Services with CAPF, you must define the following Object IDs. For information on how to use the following settings, refer to the certificate authority vendor documentation.
–(1.3.6.1.5.5.7.3.1) Server SSL/TLS authentication
–(1.3.5.1.5.5.7.3.2) Client SSL/TLS authentication
–(1.3.6.1.5.5.7.3.5) IPSec end system authentication
Tip Cisco IP Telephony Backup and Restore System (BARS) backs up the CAPF data and reports because Cisco CallManager stores the information in the Cisco CallManager database.
Related Topics
•Certificate Authority Proxy Function Overview
•CAPF System Interactions and Requirements
•Migrating Existing CAPF Data
•CAPF Configuration Checklist
Configuring CAPF in Cisco CallManager Serviceability
You perform the following tasks in Cisco CallManager Serviceability:
•Activate the Cisco Certificate Authority Proxy Function service.
•Configure trace settings for CAPF.
Related Topics
•Cisco CallManager Serviceability Administration Guide
•Cisco CallManager Serviceability System Guide
Migrating Existing CAPF Data
Caution Failing to perform the tasks that are described in this section may cause a loss of CAPF data.
Review the following details before you install or overwrite a locally significant certificate:
•Upgrades from Cisco CallManager 4.0 where CAPF was installed on the Cisco CallManager 4.0 publisher database server—If you performed certificate operations with Cisco CallManager 4.0 and CAPF 1.0(1) ran on the publisher database server, the latest operation status migrates to the Cisco CallManager 4.1 database.
•Upgrades from Cisco CallManager where CAPF was installed on a Cisco CallManager 4.0 subscriber server—If you performed certificate operations with Cisco CallManager 4.0 and CAPF 1.0(1) ran on a subscriber server, you must copy the CAPF data to the 4.0 publisher database server before you upgrade the cluster to Cisco CallManager 4.1.
Caution If you fail to copy the data prior to the Cisco CallManager 4.1 upgrade, the CAPF data on the Cisco CallManager 4.0 subscriber server does not migrate to the Cisco CallManager 4.1 database, and a loss of data may occur. If a loss of data occurs, the locally significant certificates that you issued with CAPF utility 1.0(1) remain in the phones. CAPF 4.1(2) must reissue the certificate, which is not valid.
•Upgrades from one release of Cisco CallManager 4.1(x) to a later release of Cisco CallManager 4.1(x)—The upgrade automatically migrates the CAPF data.
Related Topics
•Certificate Authority Proxy Function Overview
•CAPF System Interactions and Requirements
•CAPF Configuration Checklist
•Copying CAPF 1.0(1) Data From a 4.0 Subscriber Server to the 4.0 Publisher Database Server
CAPF Configuration Checklist
Table 4-1 provides a list of tasks that you perform to install, upgrade, delete or troubleshoot locally significant certificates.
Copying CAPF 1.0(1) Data From a 4.0 Subscriber Server to the 4.0 Publisher Database Server
Caution If you installed CAPF utility 1.0(1) on a Cisco CallManager 4.0 subscriber server, you must copy the CAPF data to the 4.0 publisher database server before you upgrade to Cisco CallManager 4.1. Failing to perform this task causes a loss of CAPF data; for example, you may lose the phone record files in C:\Program Files\Cisco\CAPF\CAPF.phone. If a loss of data occurs, the locally significant certificates that you issued with CAPF utility 1.0(1) remain in the phones; CAPF 4.1(2) must reissue the certificates, which are not valid.
Use the following procedure in conjunction with the "Migrating Existing CAPF Data" section. To copy the files, perform the following procedure:
Procedure
Step 1 Copy the files in Table 4-2 from the machine where CAPF 1.0 is installed to the publisher database server where Cisco CallManager 4.0 is installed:
Table 4-2 Copy From Server to Server
Files to Copy
|
From Machine Where CAPF 1.0 Is Installed
|
To Publisher Database Server Where Cisco CallManager 4.0 Is Installed
|
*.0
|
in C:\Program Files\Cisco\CAPF
|
to C:\Program Files\Cisco\Certificates
|
CAPF.phone
|
in C:\Program Files\Cisco\CAPF
|
to C:\Program Files\Cisco\CAPF
|
CAPF.cfg files
|
in C:\Program Files\Cisco\CAPF
|
to C:\Program Files\Cisco\CAPF
|
Step 2 Upgrade every server in the cluster to Cisco CallManager 4.1.
Step 3 After you upgrade the cluster to Cisco CallManager 4.1, upgrade the Cisco CTL client, and run it before you use the phones. The Cisco CTL client will copy the CAPF certificate to all the servers in the cluster.
Step 4 Delete the CAPF utility that you used with Cisco CallManager 4.0. See Table 4-1.
Related Topics
•Certificate Authority Proxy Function Overview
•CAPF System Interactions and Requirements
•Migrating Existing CAPF Data
•CAPF Configuration Checklist
Activating the Certificate Authority Proxy Function Service
Cisco CallManager 4.1 does not automatically activate the Certificate Authority Proxy Function service in Cisco CallManager Serviceability.
Activate this service only on the publisher database server. If you did not activate this service before you installed and configured the Cisco CTL client, you must update the CTL file, as described in the "Updating the CTL File" section.
To activate the service, perform the following procedure:
Procedure
Step 1 In Cisco CallManager Serviceability, choose Tools > Service Activation.
Step 2 In the pane on the left side of the window, choose the publisher database server.
Step 3 Check the Certificate Authority Proxy Function service check box.
Step 4 Click Update.
Related Topics
•CAPF Configuration Checklist
•Cisco CallManager Serviceability Administration Guide
•Cisco CallManager Serviceability Service Guide
Updating CAPF Service Parameters
If you use Microsoft Certificate Services or Keon Utility to generate certificates, you must update some CAPF service parameters in Cisco CallManager Administration.
The CAPF Service Parameter window also provides information on the number of years that the certificate is valid, the maximum number of times that the system retries to generate the key, the key size, and so on.
Before the CAPF service parameters will display in Cisco CallManager Administration, you must activate the Certificate Authority Proxy Function service, as described in "Activating the Certificate Authority Proxy Function Service" section.
To update the CAPF service parameters, perform the following procedure:
Procedure
Step 1 In Cisco CallManager Administration, choose Service > Service Parameter.
Step 2 From the Server drop-down list box, choose the publisher database server.
Step 3 From the Service drop-down list box, choose the Cisco Certificate Authority Proxy Function service.
Step 4 Update the CAPF service parameters, as described in Table 4-3.
Step 5 For the changes to take effect, restart the Cisco Certificate Authority Proxy Function service.
Related Topics
•Certificate Authority Proxy Function Overview
•CAPF System Interactions and Requirements
•CAPF Configuration Checklist
•Activating the Certificate Authority Proxy Function Service
•CAPF Service Parameters
CAPF Service Parameters
Use Table 4-3 in conjunction with the "Updating CAPF Service Parameters" section.
Table 4-3 CAPF Service Parameters
Parameter
|
Description
|
Certificate Issuer
|
From the drop-down list box, choose the entity that will issue the locally significant certificate.
Tip If you update this field, you must use the Cisco CTL client to update the CTL file.
|
Duration of Certificate Validity (years)
|
This field specifies the number of years that the locally significant certificate is valid.
A third-party certificate issuer, such as Keon or Microsoft Certificate Services, may have established a different value for this field. The value that these issuers establish does not display in this field. Contact the certificate issuer for more information on the duration of the certificate validity.
|
Key Size (bits)
|
This field specifies the key size that CAPF will use to generate the CAPF public and private keys.
|
Maximum Allowable Time for Key Generation (minutes)
|
This field specifies the number of minutes during which CAPF attempts to generate the CAPF keys. This parameter also specifies the maximum number of minutes that CAPF waits for a phone to complete the key-generation process.
|
Maximum Allowable Attempts for Key Generation
|
This field specifies the maximum number of attempts that CAPF tries to generate the CAPF keys. This parameter also specifies the maximum number of attempts in which the phone can generate the corresponding keys.
|
Keon Jurisdiction ID
|
This field specifies the Jurisdiction ID that you use with the Keon Utility.
|
SCEP Port Number
|
This field specifies the SCEP port number for the CAPF server.
|
Certificate Authority Address
|
Enter the IP address of the server where you installed the Microsoft Certificate Services or Keon Utility.
If you chose the Cisco Certificate Authority Proxy Server from the Certificate Generation Method drop-down list box, you do not need to enter the IP address of the CAPF server.
|
Related Topics
•Certificate Authority Proxy Function Overview
•CAPF System Interactions and Requirements
•CAPF Configuration Checklist
•Activating the Certificate Authority Proxy Function Service
•Updating CAPF Service Parameters
Updating CAPF Enterprise Parameters
The enterprise parameters in Table 4-4 support CAPF. To access the parameters in Cisco CallManager Administration, choose System > Enterprise Parameters.
Tip For the changes to take effect, you must reset the phones after you update the parameters.
Table 4-4 CAPF Enterprise Parameters
Parameter
|
Description
|
CAPF Phone Port
|
This parameter specifies the port that the Cisco Authority Proxy Function service uses to request a certificate from the phone. You must restart the Cisco Authority Proxy Function service for the change to take effect.
|
CAPF Operation Expires in (days)
|
This parameter, which affects all phones that use CAPF, specifies the number of days in which you must complete any CAPF operation; for example, troubleshooting, installing/upgrading, or deleting certificates.
|
Related Topics
•Certificate Authority Proxy Function Overview
•CAPF System Interactions and Requirements
•CAPF Configuration Checklist
•Activating the Certificate Authority Proxy Function Service
•Updating CAPF Service Parameters
Installing/Upgrading the Locally Significant Certificates
Use Table 4-5 as a reference when you use CAPF.
Perform the following procedure to use the Certificate Authority Proxy Function:
Procedure
Step 1 In Cisco CallManager Administration, choose Device > Phone.
Step 2 Find the phone where you want to install, upgrade, delete, or troubleshoot the certificate. For information on finding a phone, refer to the Cisco CallManager Administration Guide.
Step 3 Enter the configuration settings, as described in Table 4-5.
Step 4 Click Update.
Step 5 Click Reset Phone.
Step 6 If you chose the Install/Upgrade Certificate Operation option and the By Authentication String mode option, you must enter the authentication string on the phone. For information on how to perform this task, see the "Entering the Authentication String on the Phone" section.
Related Topics
•Certificate Authority Proxy Function Overview
•CAPF System Interactions and Requirements
•CAPF Configuration Checklist
•CAPF Settings in the Phone Configuration Window
•Using CAPF with the Bulk Administration Tool
•Entering the Authentication String on the Phone
Deleting the Locally Significant Certificate
CAPF does not delete certificates that Cisco manufacturing installed in the phone. CAPF only deletes certificates that CAPF or the Cisco-approved, third-party certificate authority issued.
Caution If the phone does not contain a manufacture installed certificate (MIC), you must change the device security mode to nonsecure for the phone before you delete the LSC. If you delete the certificate before you change the device security mode, the phone cannot register to Cisco CallManager. For information on changing the device security mode, see the
"Configuring the Phones for Security" section.
To delete the certificate from Cisco CallManager Administration instead of from the phone, perform the following procedure:
Procedure
Step 1 In Cisco CallManager Administration, choose Device > Phone.
Step 2 Find the phone where you want to delete the locally significant certificate. For information on how to find a phone that uses CAPF, refer to the Cisco CallManager Administration Guide.
Step 3 From the Certificate Operation drop-down list box, choose the Delete option.
Step 4 Click Update.
Step 5 Click Reset Phone.
Step 6 If you chose the By Authentication String mode, the user must enter the string to revoke the certificate.
Step 7 If you used a Cisco-approved, third-party certificate authority to issue the certificates, verify that the certificate authority revoked the certificate. Contact the third-party certificate authority vendor for information on how to perform this task.
After the certificate authority deletes the certificate from the phone, the Operation Status field in the Phone Configuration window displays Delete Success.
Related Topics
•Certificate Authority Proxy Function Overview
•CAPF System Interactions and Requirements
•Migrating Existing CAPF Data
•Activating the Certificate Authority Proxy Function Service
•Updating CAPF Service Parameters
•CAPF Service Parameters
•Installing/Upgrading the Locally Significant Certificates
•CAPF Settings in the Phone Configuration Window
•Using CAPF with the Bulk Administration Tool
•Entering the Authentication String on the Phone
•Deleting the Locally Significant Certificate
CAPF Settings in the Phone Configuration Window
Table 4-5 describes the CAPF settings in the Phone Configuration window in Cisco CallManager Administration.
Table 4-5 CAPF Configuration Settings
Setting
|
Description
|
Certificate Operation
|
From the drop-down list box, choose one of the following options:
•No Pending Operation—Displays when no certificate operation is occurring. (default setting)
•Install/Upgrade—Installs a new or upgrades an existing locally significant certificate in the phone.
•Delete—Deletes the locally significant certificate that exists in the phone.
•Troubleshoot—Retrieves the locally significant certificate (LSC) or the manufacture installed certificate (MIC), so you can view the certificate credentials in the CAPF trace file. If both certificate types exist in the phone, Cisco CallManager creates two trace files, one for each certificate type.
By choosing the Troubleshooting option, you can verify that a LSC or MIC exists in the phone.
|
Authentication Mode
|
This field allows you to choose the method by which you want the phone to authenticate with CAPF. Use this field if you want to install/upgrade, delete, or troubleshoot a locally significant certificate or authenticate by a manufacture-installed certificate. From the drop-down list box, choose one of the following options:
•By Authentication String—Installs/upgrades, deletes, or troubleshoots a locally significant certificate only when the user enters the CAPF authentication string on the phone.
•By Null String—Automatically installs/upgrades, deletes, or troubleshoots a locally significant certificate without user intervention.
This option provides no security; Cisco strongly recommends that you choose this option only for closed, secure environments.
•By Existing Certificate (Precedence to LSC)—Automatically installs/upgrades, deletes, or troubleshoots a locally significant certificate if a manufacture-installed (MIC) or locally significant certificate (LSC) exists in the phone. If a LSC exists in the phone, authentication occurs via the LSC, regardless whether a MIC exists in the phone. If a MIC and LSC exist in the phone, authentication occurs via the LSC. If a LSC does not exist in the phone but a MIC does exist, authentication occurs via the MIC.
Before you choose this option, verify that a certificate exists in the phone. If you choose this option and no certificate exists in the phone, the operation fails.
At any time, the phone uses only one certificate to authenticate to CAPF even though a MIC and LSC can exist in the phone at the same time. If the primary certificate, which takes precedence, becomes compromised for any reason, or, if you want to authenticate via the other certificate, you must update the authentication mode.
•By Existing Certificate (Precedence to MIC)—Automatically installs/upgrades, deletes, or troubleshoots a locally significant certificate if a LSC or MIC exists in the phone. If a MIC exists in the phone, authentication occurs via the MIC, regardless whether a LSC exists in the phone. If a LSC exists in the phone but a MIC does not exist, authentication occurs via the LSC.
Before you choose this option, verify that a certificate exists in the phone. If you choose this option and no certificate exists in the phone, the operation fails.
|
Authentication String
|
If you chose the By Authentication String option, this field applies. Manually enter a string or generate a string by clicking the Generate String button. Ensure that the string contains 4 to 10 digits.
To install, upgrade, delete, or troubleshoot a locally significant certificate, the phone user or administrator must enter the authentication string on the phone.
|
Generate String
|
If you want CAPF to automatically generate an authentication string, click this button. The 4- to-10 digit authentication string displays in the Authentication String field.
|
Key Size (bits)
|
From the drop-down list box, choose the key size for the certificate. The default setting equals 1024. Other options include 512 and 2048.
If you choose a higher key size than the default setting, the phones take longer to generate the entropy that is required to generate the keys.
|
Operation Completes by
|
This field, which supports the Install/Upgrade, Delete, and Troubleshoot Certificate Operation options, specifies the date and time by which you must complete the operation.
The values that display apply for the publisher database server.
|
Operation Status
|
This field displays the progress of the certificate operation; for example, <operation type> pending, failed, or successful, where operating type equals the Install/Upgrade, Delete, or Troubleshoot Certificate Operation options. You cannot change the information that displays in this field.
|
Related Topics
•Certificate Authority Proxy Function Overview
•CAPF System Interactions and Requirements
•CAPF Configuration Checklist
•Installing/Upgrading the Locally Significant Certificates
•Using CAPF with the Bulk Administration Tool
•Entering the Authentication String on the Phone
•Deleting the Locally Significant Certificate
Using CAPF with the Bulk Administration Tool
If you want to install, upgrade, delete, or troubleshoot many locally significant certificates at the same time, you must use the Cisco Bulk Administration Tool that is compatible with the version of Cisco CallManager that runs in the cluster.
Before you use BAT to install or delete certificates, you must activate the Cisco Certificate Authority Proxy Function service.
Cisco strongly recommends that you install certificates during a scheduled maintenance window because generating certificates may cause call-processing interruptions.
Related Topics
•CAPF Configuration Checklist
•Activating the Certificate Authority Proxy Function Service
•Bulk Administration Tool User Guide
Generating a CAPF Report
In Cisco CallManager Administration, you can generate a CAPF report to view the certificate operation status, to view the authentication strings, or to view the authentication mode for listed devices. After you generate the CAPF report, you can view the report in a CSV file.
To generate a CAPF report, perform the following procedure:
Procedure
Step 1 In Cisco CallManager Administration, choose Device > Device Settings > CAPF Report.
Step 2 To find the devices that you want to display in the report, choose the criteria from the Find/List drop-down list boxes.
Step 3 Click Find.
A list of devices display.
Step 4 To view the CAPF report in a CSV file, click the View the Report in File link in the upper, right corner of the window.
Step 5 If you want to do so, save the CSV file to a secure location and modify as needed.
Related Topics
•Certificate Authority Proxy Function Overview
•CAPF System Interactions and Requirements
•CAPF Configuration Checklist
•CAPF Settings in the Phone Configuration Window
•Entering the Authentication String on the Phone
Finding Phones by Choosing the LSC Status
For information on how to find and list phones by choosing the LSC Status, see the "Finding Phones for Authentication, Encryption, and LSC Status" section.
Related Topics
•CAPF Configuration Checklist
•Troubleshooting
Entering the Authentication String on the Phone
If you chose the By Authentication String mode and generated an authentication string in Cisco CallManager, you must enter the authentication string on the phone before the locally significant certificate installation occurs.
Tip The phone user can perform the following procedure to install the certificate. The authentication string applies for one-time use only.
Before You Begin
•Verify that the CAPF certificate exists in the CTL file.
•Verify that the CAPF certificate exists in the certificate folder on the Cisco CallManager server; on the server, browse to C:\Program Files\Cisco\Certificates.
•Verify that you activated the Cisco Certificate Authority Proxy Function service, as described in "Activating the Certificate Authority Proxy Function Service" section.
•Verify that the publisher database server is functional and running. Ensure that the server runs for each certificate installation.
•Verify that a signed image exists on the phone; refer to the Cisco IP Phone administration documentation that supports your phone model.
•Obtain the authentication string that displays in the Phone Configuration window or in the CAPF Report window.
Procedure
Step 1 For the device, obtain the CAPF authentication string from the Phone Configuration window or the CAPF Report window.
Step 2 Verify that the device registers with Cisco CallManager.
Step 3 Verify that the device security mode equals Nonsecure.
Step 4 On nonsecure Cisco IP Phone models 7970, 7960, or 7940, press the Settings button.
Step 5 On the Settings menu, scroll to the Security Configuration option; press the Select softkey.
Tip If the phone menu is locked, press **# to unlock the menu.
Step 6 Scroll to the LSC option; press the Update softkey.
Step 7 Enter the 4 to 10 digit authentication string for the phone and press Submit.
Tip If you need to change the authentication string before you press Submit, press <<.
The phone installs, updates, deletes, or fetches the certificate, depending on the current CAPF configuration.
Monitor the progress of the certificate operation by viewing the messages that display on the phone. After you press Submit, the message, Pending, displays under the LSC option. The phone generates the public key and private key pair and displays the information on the phone. When the phone successfully completes the process, the phone displays a successful message. If the phone displays a failure message, you entered the wrong authentication string or did not enable the phone for upgrade; see the "Troubleshooting" section.
At any time, you can stop the process by choosing the Stop option.
You can verify that the certificate installed on the phone by choosing Settings > Model Information and viewing the LSC setting, which indicates Installed or Not Installed.
Related Topics
•CAPF Configuration Checklist
•CAPF Settings in the Phone Configuration Window
•Using CAPF with the Bulk Administration Tool
•Entering the Authentication String on the Phone
•Deleting the Locally Significant Certificate
•Cisco IP Phone Administration Guide for Cisco CallManager, Cisco IP Phone Models 7960G and 7940G
Feedback
