This document describes the procedure in order to retrieve certificates from a Cisco IP Phone when Cisco Authority Proxy Function (CAPF) service runs in Cisco Unified Communications Manager (CUCM) publisher.
Cisco recommends that you have knowledge of these topics:
SSL Certificates in phone
Command Line Interface (CLI) management in CUCM
The information in this document is based on these software and hardware versions:
Cisco Unified Communications Manager (CUCM) version 126.96.36.19900-26
Cisco IP Phone 8811 - sip88xx.12-5-1SR1-4
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
CAPF service must be active in CUCM publisher and CAPF certificate under Cisco Unified OS Adminsitration must be up-to-date.
For Cisco IP Phones, there are two alternatives of certificates installed on them:
MIC (Manufacturer Installed Certificate)
MIC and LSC (Locally Significant Certificate)
Phones are pre-installed with the MIC certificate and it cannot be deleted neither regenerated. Also, MIC cannot be used once the validity is expired. MICs are 2048-bit key certificates that are signed by the Cisco Certificate Authority.
The LSC possesses the public key for the Cisco IP phone, which is signed by the CUCM CAPF private key. It is not installed on the phone by default and this certificate is required for the phone in order to operate in secure mode
Step 1. In CUCM, navigate to Cisco Unified CM Administration > Device > Phone.
Step 2. Find and select the phone which certificates you want to retrieve from.
Step 3. In the phone configuration page, navigate to Certification Authority Proxy Function (CAPF) Information section.
Step 4. As shown in the image, apply these parameters:
Certificate Operation: Troubleshoot
Authentication Mode: By Null String
Key Size (Bits): 1024
Operation Completes By: Date in the future
Step 5. Click on Save and Reset the phone.
Step 6. Once that device is registered back in CUCM cluster, ensure in phone configuration page that troubleshoot operation has completed as shown in the image:
Step 7. Open an SSH session for the CUCM Publisher server and run the command to list the certificates associated to the phone as shown in the image:
file list activelog /cm/trace/capf/sdi/SEP<MAC_Address>*
There are two options for the files to be listed:
Only MIC: SEP<MAC_Address>-M1.cer
MIC and LSC:SEP<MAC_Address>-M1.cer and SEP<MAC_Address>-L1.cer
Step 8. In order to download the certificates, run this command: file get activelog /cm/trace/capf/sdi/SEP<MAC_Address>*
An Secure File Transfer Protocol (SFTP) server is required to save the file as shown in the image