PDF(209.5 KB) View with Adobe Reader on a variety of devices
ePub(283.7 KB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle)(215.4 KB) View on Kindle device or Kindle app on multiple devices
Updated:August 8, 2019
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes the procedure in order to retrieve certificates from a Cisco IP Phone when Cisco Authority Proxy Function (CAPF) service runs in Cisco Unified Communications Manager (CUCM) publisher.
Cisco recommends that you have knowledge of these topics:
SSL Certificates in phone
Command Line Interface (CLI) management in CUCM
The information in this document is based on these software and hardware versions:
Cisco Unified Communications Manager (CUCM) version 188.8.131.5200-26
Cisco IP Phone 8811 - sip88xx.12-5-1SR1-4
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
CAPF service must be active in CUCM publisher and CAPF certificate under Cisco Unified OS Adminsitration must be up-to-date.
For Cisco IP Phones, there are two alternatives of certificates installed on them:
MIC (Manufacturer Installed Certificate)
MIC and LSC (Locally Significant Certificate)
Phones are pre-installed with the MIC certificate and it cannot be deleted neither regenerated. Also, MIC cannot be used once the validity is expired. MICs are 2048-bit key certificates that are signed by the Cisco Certificate Authority.
The LSC possesses the public key for the Cisco IP phone, which is signed by the CUCM CAPF private key. It is not installed on the phone by default and this certificate is required for the phone in order to operate in secure mode
Step 1. In CUCM, navigate to Cisco Unified CM Administration > Device > Phone.
Step 2. Find and select the phone which certificates you want to retrieve from.
Step 3. In the phone configuration page, navigate to Certification Authority Proxy Function (CAPF) Information section.
Step 4. As shown in the image, apply these parameters:
Certificate Operation: Troubleshoot
Authentication Mode: By Null String
Key Size (Bits): 1024
Operation Completes By: Date in the future
Step 5. Click on Save and Reset the phone.
Step 6. Once that device is registered back in CUCM cluster, ensure in phone configuration page that troubleshoot operation has completed as shown in the image:
Step 7. Open an SSH session for the CUCM Publisher server and run the command to list the certificates associated to the phone as shown in the image:
file list activelog /cm/trace/capf/sdi/SEP<MAC_Address>*
There are two options for the files to be listed:
Only MIC: SEP<MAC_Address>-M1.cer
MIC and LSC:SEP<MAC_Address>-M1.cer and SEP<MAC_Address>-L1.cer
Step 8. In order to download the certificates, run this command: file get activelog /cm/trace/capf/sdi/SEP<MAC_Address>*
An Secure File Transfer Protocol (SFTP) server is required to save the file as shown in the image