This document describes the step-by-step procedure to move one IP phone
in secure mode from a source Cisco Unified Communication Manager (CUCM) cluster
to a destination CUCM cluster without any manually manipulation of the
Certified Trust List (CTL) file installed on such an IP phone.
Note: This procedure is independent of:
Signaling protocol used by the phone. It is assumed that signaling
protocol in source and destination cluster remain the same for an specific IP
Phone model that excludes Cisco 7940/7960 models because the
7940/7960 phones require the end user intervention to input an authentication
string since they do not have a built-in MIC.
There are no specific requirements for this document.
The information in this document is based on the Cisco Unified
Communications Manager 7.x.
The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.
All servers in the CUCM cluster generates self-signed certificates. The
phones get their own certificates, which is of two types.
Manufacturing installed certificate given by Cisco when you buy a new
Locally significant certificate handed by Cisco Authority Proxy
The CTL is a list of self-signed certificates from all the servers in
the CUCM cluster which the phone can trust. The CTL is stored on the TFTP
server and sent to the IP phones.
The device, file, and signaling authentication rely on the creation of
the CTL file, which is created when you install and configure the Cisco CTL
Client on a single Windows workstation or server that has a USB port.
The CTL file contains a server certificate, public key, serial number,
signature, issuer name, subject name, server function, DNS name, and IP address
for each server. When you configure a firewall in the CTL file, you can secure
a Cisco ASA Firewall as part of a secure Cisco Unified Communications Manager
system. The Cisco CTL Client displays the firewall certificate as a
CCM certificate. Cisco Unified Communications Manager
Administration uses an eToken to authenticate the TLS connection between the
Cisco CTL Client and Cisco CTL Provider.
On CUCM version 8.X and later, the IP phones request a CTL file by
default even if this has not been created. The CTL files are not considered
essential; they are just part of the new security features that come with the
CUCM 8.x. Refer to
the Cisco CTL Client for more information.
How to Secure the IP Phone
In order for the phone to accept the CTL file from any cluster without
the need to delete the existing one requires that each cluster's CTL file has
to be signed by the same shared set of eTokens. In other words, we need to
create a CTL File for every cluster and sign them all with the same eToken.
Additionally, in order to phones trust in the Centralized TFTP servers, you
also have to add the Centralized TFTP servers in each CTL File.
Complete these steps in order to configure the security properties for
an IP phone.
Configure the Device Security Profile. If a proper device Security
Profile does not exist in the drop-down list from the IP phone configuration
page, leave it as default, Standard Non-Secure
Configure Certification Authority Proxy Function (CAPF)
Information, for the IP phone to get a new LSC, signed by the destination CUCM
This is done on the phone configuration page of CUCM. Choose the
values from dropdown menu as shown and then click
Configure the new created Device Security
Choose System > Security Profile > Phone Security
Choose the phone type and enter the details:
Now Save the configuration as shown
On the IP Phone configuration page, double-check that the proper
Device Security Mode is configured.
Restart the IP Phone.
The phone should now download a new CTL file from the destination
cluster and should get a LSC signed from the destination
The phone runs with the Security Mode configured in the Device