Introduction

    This document describes the procedure in order to retrieve certificates from a Cisco IP Phone when Cisco Authority Proxy Function (CAPF) service runs in Cisco Unified Communications Manager (CUCM) publisher.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • SSL Certificates in phone
    • CUCM administration
    • Command Line Interface (CLI) management in CUCM

    Components Used

    The information in this document is based on these software and hardware versions:

    • Cisco Unified Communications Manager (CUCM) version 11.5.1.11900-26
    • Cisco IP Phone 8811 -  sip88xx.12-5-1SR1-4

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Background Information

    CAPF service must be active in CUCM publisher and CAPF certificate under Cisco Unified OS Adminsitration must be up-to-date.

    For Cisco IP Phones, there are two alternatives of certificates installed on them:

    • MIC (Manufacturer Installed Certificate)
    • MIC and LSC (Locally Significant Certificate)

    Phones are pre-installed with the MIC certificate and it cannot be deleted neither regenerated. Also, MIC cannot be used once the validity is expired. MICs are 2048-bit key certificates that are signed by the Cisco Certificate Authority.

    The LSC possesses the public key for the Cisco IP phone, which is signed by the CUCM CAPF private key. It is not installed on the phone by default and this certificate is required for the phone in order to operate in secure mode

    Configure

    Step 1. In CUCM, navigate to Cisco Unified CM Administration > Device > Phone.

    Step 2. Find and select the phone which certificates you want to retrieve from.

    Step 3. In the phone configuration page, navigate to Certification Authority Proxy Function (CAPF) Information section.

    Step 4. As shown in the image, apply these parameters:

    Certificate Operation: Troubleshoot

    Authentication Mode: By Null String

    Key Size (Bits): 1024

    Operation Completes By: Date in the future

    Step 5. Click on Save and Reset the phone.

    Step 6. Once that device is registered back in CUCM cluster, ensure in phone configuration page that troubleshoot operation has completed as shown in the image:

    Step 7. Open an SSH session for the CUCM Publisher server and run the command to list the certificates associated to the phone as shown in the image:

    file list activelog /cm/trace/capf/sdi/SEP<MAC_Address>*

    There are two options for the files to be listed:

    Only MIC: SEP<MAC_Address>-M1.cer

    MIC and LSC:SEP<MAC_Address>-M1.cer and SEP<MAC_Address>-L1.cer

    Step 8. In order to download the certificates, run this command: file get activelog /cm/trace/capf/sdi/SEP<MAC_Address>*

    An Secure File Transfer Protocol (SFTP) server is required to save the file as shown in the image

    Related Information