Cisco IP Phone Security Overview
The Security features protect against several threats, including threats to the identity of the phone and to data. These features establish and maintain authenticated communication streams between the phone and the Cisco Unified Communications Manager server, and ensure that the phone uses only digitally signed files.
Cisco Unified Communications Manager Release 8.5(1) and later includes Security by Default, which provides the following security features for Cisco IP Phones without running the CTL client:
Signing of the phone configuration files
Phone configuration file encryption
HTTPS with Tomcat and other Web services
Secure signaling and media features still require you to run the CTL client and use hardware eTokens.
For more information about the security features, see the documentation for your particular Cisco Unified Communications Manager release.
A Locally Significant Certificate (LSC) installs on phones after you perform the necessary tasks that are associated with the Certificate Authority Proxy Function (CAPF). You can use Cisco Unified Communications Manager Administration to configure an LSC. For more information, see the documentation for your particular Cisco Unified Communications Manager release.
A LSC cannot be used as the user certificate for EAP-TLS with WLAN authentication.
Alternatively, you can initiate the installation of an LSC from the Security Setup menu on the phone. This menu also lets you update or remove an LSC.
The Cisco IP Conference Phone 8832 complies with Federal Information Processing Standard (FIPS). To function correctly, FIPS mode requires an RSA key size of 2048 bits or greater. If the RSA server certificate is not 2048 bits or greater, the phone will not register with Cisco Unified Communications Manager and Phone failed to register. Cert key size is not FIPS compliant displays in the phone's status messages.
You cannot use private keys (LSC or MIC) in FIPS mode.
If the phone has an existing LSC that is smaller than 2048 bits, you need to update the LSC key size to 2048 bits or greater before enabling FIPS.