安全Cisco Unified CME与第3方证书配置示例

下载选项

  • PDF     (176.0 KB)
    在各种设备上使用 Adobe Reader 查看
  • ePub     (88.6 KB)
    在 iPhone、iPad、Android、Sony Reader 或 Windows Phone 上使用各种应用查看
  • Mobi (Kindle)     (79.1 KB)
    在 Kindle 设备上查看或在多个设备上使用 Kindle 应用查看
已更新: 2013 年 4 月 15 日
文档 ID:116051

非歧视性语言

此产品的文档集力求使用非歧视性语言。在本文档集中,非歧视性语言是指不隐含针对年龄、残障、性别、种族身份、族群身份、性取向、社会经济地位和交叉性的歧视的语言。由于产品软件的用户界面中使用的硬编码语言、基于 RFP 文档使用的语言或引用的第三方产品使用的语言,文档中可能无法确保完全使用非歧视性语言。 深入了解思科如何使用包容性语言。

关于此翻译

思科采用人工翻译与机器翻译相结合的方式将此文档翻译成不同语言,希望全球的用户都能通过各自的语言得到支持性的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 Cisco Systems, Inc. 对于翻译的准确性不承担任何责任,并建议您总是参考英文原始文档(已提供链接)。

简介

许多网络管理员选择实施Cisco Unified Communications Manager Express(CME),并提供安全性。网络管理员可以选择将安全CME与其现有的公钥基础设施(PKI)基础设施集成,而不是内置IOS证书颁发机构(IOS-CA)。本文档介绍如何配置Secure CME以通过第三方证书使用安全信令和介质运行。

先决条件

要求

本文档假设您环境中的Cisco Unified Communications Manager Express(CME)正在运行且功能完全正常。 必须在安全Cisco Unified CME上运行的所有电话都需要能够首先成功注册到CME。有关如何配置CME的信息,请参阅Cisco Unified Communications Manager Express系统管理员指南。

本文档还假设已启用语音和安全功能。

使用的组件

本文档中的信息基于Cisco Unified Communications Manager Express(CME)。

本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您使用的是真实网络,请确保您已经了解所有命令的潜在影响。 

规则

有关文档规则的信息,请参阅 Cisco 技术提示规则。 

配置

注意:要获取有关本部分中所使用命令的更多信息,可使用命令查找工具(仅限已注册客户)。  

总结配置步骤

  1. 创建IOS-CA实例。
  2. 创建信任点以保存第三方CA证书。
  3. 从信任点生成证书签名请求(CSR)。
  4. 使用服务器身份验证签署CSR,并获得CA认证。
  5. 使用CA证书对信任点进行身份验证,并导入相应的身份证书。
  6. 验证第三方证书信任点。
  7. 创建IOS CA CME信任点。
  8. 配置证书信任列表(CTL)客户端。
  9. 配置证书颁发机构代理功能(CAPF)服务器。
  10. 配置电话服务。
  11. 配置测试电话。
  12. 验证.

详细配置示例

  1. 创建IOS-CA实例。IOS-CA实例生成用于签署电话的本地有效证书(LSC)的自签名证书。
    crypto key gen rsa label ios-ca mod 2048
    The name for the keys will be: ios-ca
    % The key modulus size is 2048 bits
    % Generating 2048 bit RSA keys, keys will be non-exportable...
    [OK] (elapsed time was 17 seconds)
     
    crypto pki server ios-ca
    database level complete
    grant auto
    lifetime cert 7305
    exit
    ip http server 
    crypto pki trust ios-ca
    enrollment url http://10.2.3.4:80
    revo none
    rsakey ios-ca
    exit
    crypto pki server ios-ca
    no shut
    %Some server settings cannot be changed after CA certificate generation.
    % Please enter a passphrase to protect the private key
    % or type Return to exit
    Password: Cisco123
    Re-enter password: Cisco123
    % Certificate Server enabled.
    exit
  2. 创建将生成用于第三方签名的CSR的信任点。这些信任点最终会持有作为CSR结果的第三方CA证书和身份证书。

    crypto key generate rsa label tac-sast mod 2048
    The name for the keys will be: tac-sast
    % The key modulus size is 2048 bits
    % Generating 2048 bit RSA keys, keys will be non-exportable...
    [OK] (elapsed time was 52 seconds)
     
    crypto pki trust tac-sast
    enroll term
    serial-number none
    fqdn none
    ip-address none
    subject-name CN=tac-sast
    revo none
    rsakeypair tac-sast
    exit
  3. 从信任点生成CSR。crypto pki enroll 命令生成提供给第三方CA进行签名的CSR。 

    示例 1:
    crypto pki enroll tac-sast
    % Start certificate enrollment ..
    % The subject name in the certificate will include: CN=tac-sast
    % The fully-qualified domain name will not be included in the certificate
    Display Certificate Request to terminal? [yes/no]: yes
    Certificate Request follows:
    MIICfjCCAWYCAQAwGDEWMBQGA1UEAxMNam9jYXNhbGUtc2FzdDCCASIwDQYJKoZI
    hvcNAQEBBQADggEPADCCAQoCggEBALLIyM0k5DmgWy1jILHy+eaoJTU+OioaTfFO
    V7SdNOfjoXCRpqCZwFavR82/Wukoho9HUXB7/oEQV6D2UoyHRhl1mzHv5AxuJuE1
    0Qk9YHpBzLAcNEvRWvnyVnMaBSc6Fy9j7oabAUuOoWveK8NrsoR38WH2gIY3kUaM
    8swgaomqlAj8LbmYE/PQdtfxOEneIF1FHHXj4R72dqkCaiBz7fcO9sdxfRqi8jEf
    UbndH9yZit912wX14nxC2Wa2S3O/p6vXEwKfQMGZe4nO7SJPtJ/vNHx/HNCkJxHV
    H1V0JH7Afffffffffffffffffffffffffffffffffffffffffffffffffffff
    fffffffffffffffffffffffffffffffffEAAaAhMB8G
    CSqGSIb3DQEJDjESMBAwDgYDVR0PAQH/BAQDAgWgMA0GCSqGSIb3DQEBBAUAA4IB
    AQB++utK7EpeGYYyPfNALsXkPcbu+2kwi/TI+B2kT3ol/dxyX6hNh0jp3eOTQtSl
    H7jRey4ew9GZVTeqq7cxwz1f7d6ZP4BRqzp1f0HVvu7HC+bAR0jB2FNvVaN27zYu
    XSP/GIaUiQDTbaEyDgGr8s5PlFSS2Ap4FvxsskjD/30geszhRs+N3cYfQVpnWjnq
    TwbMF4998BXmlPIQigJBInACY2SUszqcDih7Nc1Y6viYaSiN0ZCuzEyKI2tjbwUU
    EU/o0fcWMXsnBc44WQBAEpTBSLYFVb4kGl9AgAyOW7q9ACiBTpmul1kwuDyTPg5X
    fCIWUjVfTWoHizqxKSbLQ2nL
    ---End - This line not part of the certificate request---
    Redisplay enrollment request? [yes/no]: no

    示例 2:

    crypto pki enroll tac-sast
    % Start certificate enrollment ..
    % The subject name in the certificate will include: CN=tac-sast
    % The fully-qualified domain name will not be included in the certificate
    Display Certificate Request to terminal? [yes/no]: yes
    Certificate Request follows:
    MIICfjCCAWYCAQAwGDEWMBQGA1UEAxMNam9jYXNhbGUtc2FzdDCCASIwDQYJKoZI
    hvcNAQEBBQADggEPADCCAQoCggEBALLIyM0k5DmgWy1jILHy+eaoJTU+OioaTfFO
    V7SdNOfjoXCRpqCZwFavR82/Wukoho9HUXB7/oEQV6D2UoyHRhl1mzHv5AxuJuE1
    0Qk9YHpBzLAcNEvRWvnyVnMaBSc6Fy9j7oabAUuOoWveK8NrsoR38WH2gIY3kUaM
    8swgaomqlAj8LbmYE/PQdtfxOEneIF1FHHXj4R72dqkCaiBz7fcO9sdxfRqi8jEf
    UbndH9ffffffffffffffffffffffffffffffffffffffffffffffffffffffff
    fffffffffffffffffffffffffffffffffHNCkJxHV
    H1V0JH7AwWLdnUgEWGoSFOL5j/lwIHmemUDpSuL9IY+9EP622E0CAwEAAaAhMB8G
    CSqGSIb3DQEJDjESMBAwDgYDVR0PAQH/BAQDAgWgMA0GCSqGSIb3DQEBBAUAA4IB
    AQB++utK7EpeGYYyPfNALsXkPcbu+2kwi/TI+B2kT3ol/dxyX6hNh0jp3eOTQtSl
    H7jRey4ew9GZVTeqq7cxwz1f7d6ZP4BRqzp1f0HVvu7HC+bAR0jB2FNvVaN27zYu
    XSP/GIaUiQDTbaEyDgGr8s5PlFSS2Ap4FvxsskjD/30geszhRs+N3cYfQVpnWjnq
    TwbMF4998BXmlPIQigJBInACY2SUszqcDih7Nc1Y6viYaSiN0ZCuzEyKI2tjbwUU
    EU/o0fcWMXsnBc44WQBAEpTBSLYFVb4kGl9AgAyOW7q9ACiBTpmul1kwuDyTPg5X
    fCIWUjVfTWoHizqxKSbLQ2nL
    ---End - This line not part of the certificate request---
    Redisplay enrollment request? [yes/no]: no
  4. 使用两个CSR以生成具有服务器身份验证权限的证书。
    注意:
    • 必须从CA为其中一个证书获取完整的证书链。证书链从签名CA提供CA和身份证书。
    • 确保证书以基64格式下载。
    • CA证书用于每个信任点的身份验证,并且身份证书按此顺序导入到每个信任点中,这一点非常重要。
  5. 使用CA证书对信任点进行身份验证,并导入SAST身份证书。

    示例 1:
    crypto pki auth tac-sast
    Enter the base 64 encoded CA certificate.
    End with a blank line or the word "quit" on a line by itself
    -----BEGIN CERTIFICATE-----
    MIIFQTCCBCmgAwIBAgIQUt2XjpaAwaJIEkcOebj7AjANBgkqhkiG9w0BAQUFADBs
    MRMwEQYKCZImiZPyLGQBGRYDY29tMRUwEwYKCZImiZPyLGQBGRYFY2lzY28xIjAg
    BgoJkiaJk/IsZAEZFhJqeW91bmd0YS1sYWJkb21haW4xGjAYBgNVBAMTEWp5b3Vu
    Z3RhLWNhc2VydmVyMB4XDTEyMDgxMzE1NTczM1oXDTE3MDgxNDE2MDY0M1owbDET
    MBEGCgmSJomT8ixkARkWA2NvbTEVMBMGCgmSJomT8ixkARkWBWNpc2NvMSIwIAYK
    CZImiZPyLGQBGRYSanlvdW5ndGEtbGFiZG9tYWluMRowGAYDVQQDExFqeW91bmd0
    YS1jYXNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ2Cxwm6
    uX3/t3Ip9A5OnbKS1IL4MaTCVzev7tlZbusWLQcfJwOhjFNxJJpgY2yE8CjBsL4H
    eryNvcvUFeA90kXbEncl1uoI7t1JEf5ifQBopqGO54E0t1YUHrcT5LgXdBU839yp
    lNm9VtFfffffffffffffffffffffffffffffffffffffffffffffffffffffffff
    ffffffffffffffffffffffffo45wsFTRpp8
    DC7nGuW0erm2/ISnfoNs/mUmfWbmoAbJjIrU+RHaQ7RrcXPWB3mEqC40eQtYJFZl
    tRE7DNwPriVBTpWCV+wo94DkHtn8/nc3FOWD0RIjU7Y66jG+umWSeqJh0xdZBak2
    +L9A6ZwCxyeuzg0CAwEAAaOCAd0wggHZMBMGCSsGAQQBgjcUAgQGHgQAQwBBMAsG
    A1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSy5dc14lYuF1hq
    yYnbrQAHPsISWzCCAUoGA1UdHwSCAUEwggE9MIIBOaCCATWgggExhoHWbGRhcDov
    Ly9DTj1qeW91bmd0YS1jYXNlcnZlcixDTj1qeW91bmd0YS1jYXNlcnZlcixDTj1D
    RFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29u
    ZmlndXJhdGlvbixEQz1qeW91bmd0YS1sYWJkb21haW4sREM9Y2lzY28sREM9Y29t
    P2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxE
    aXN0cmlifffffffffffffffffffffffffffffffffffffffffffffffffffffff
    fffffffffffffffffffffffffffffffyLmp5b3Vu
    Z3RhLWxhYmRvbWFpbi5jaXNjby5jb20vQ2VydEVucm9sbC9qeW91bmd0YS1jYXNl
    cnZlci5jcmwwEgYJKwYBBAGCNxUBBAUCAwEAATAjBgkrBgEEAYI3FQIEFgQUWjZQ
    /W2X5GoSeibbuvAKHH8/97MwDQYJKoZIhvcNAQEFBQADggEBAI8nivQcicltdXnt
    X30+QO+FKK0Cu6WWFIozqKE0eeSJ0C3fPv88jjkae4+YjF/gK2wPt/mezWeQm0MO
    S4m0LHnMMZGU7ezAHTd+yh5oWI2Q2iBFnslvSIUboJZazNkDEFm7Dl8gDKajEvE/
    JUNtebgOJPJUXvV/v0Rpry1Nckxrn3tsiCF62acgAZke1hSrscoeqzkygk8vIr1K
    lv9W2Vy2TPa6i8ZWG8at36jAsNAk5HJUEl7mFyirMIJcc+diZ12WPoRqrQ+CE7ZL
    Mw+ydSS5x0XvFqily0VE649TsvtKCOMkJjbLLX8wZp9SU2AgXutHr3CdlrVlaElC
    ZW4J3cQ=
    -----END CERTIFICATE-----
    quit
    Certificate has the following attributes:
    Fingerprint MD5: C198A185 83575520 EBE6E03D 33BA9B2C 
    Fingerprint SHA1: B0A9668D 42D36311 E82B0A33 480127B5 BEB02B60
    % Do you accept this certificate? [yes/no]: yes
    Trustpoint CA certificate accepted.
    % Certificate successfully imported
     
     
    crypto pki import tac-sast cert
    % The fully-qualified domain name will not be included in the certificate
    Enter the base 64 encoded certificate.
    End with a blank line or the word "quit" on a line by itself
    -----BEGIN CERTIFICATE-----
    MIIGpzCCBY+gAwIBAgIKGdhyPgABAAABpDANBgkqhkiG9w0BAQUFADBsMRMwEQYK
    CZImiZPyLGQBGRYDY29tMRUwEwYKCZImiZPyLGQBGRYFY2lzY28xIjAgBgoJkiaJ
    k/IsZAEZFhJqeW91bmd0YS1sYWJkb21haW4xGjAYBgNVBAMTEWp5b3VuZ3RhLWNh
    c2VydmVyMB4XDTEyMDgyOTEzMzIyOVoXDTE0MDgyOTEzMzIyOVowGDEWMBQGA1UE
    AxMNam9jYXNhbGUtc2FzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
    ALLIyM0k5DmgWy1jILHy+eaoJTU+OioaTfFOV7SdNOfjoXCRpqCZwFavR82/Wuko
    ho9HUXB7/oEQV6D2UoyHRhl1mzHv5AxuJuE10Qk9YHpBzLAcNEvRWvnyVnMaBSc6
    Fy9j7oabAUuOoWveK8NrsoR38WH2gIY3kUaM8swgaomqlAj8LbmYE/PQdtfxOEne
    IF1FHHXj4fffffffffffffffffffffffffffffffffffffffffffffffffffffff
    fffffffffffffffffffffffffWa2S3O/
    p6vXEwKfQMGZe4nO7SJPtJ/vNHx/HNCkJxHVH1V0JH7AwWLdnUgEWGoSFOL5j/lw
    IHmemUDpSuL9IY+9EP622E0CAwEAAaOCA50wggOZMA4GA1UdDwEB/wQEAwIFoDAd
    BgNVHQ4EFgQUtP6NbC/kpe3uSa2oeZy9rTDGMHAwHwYDVR0jBBgwFoAUsuXXNeJW
    LhdYasmJ260ABz7CElswggGYBgNVHR8EggGPMIIBizCCAYegggGDoIIBf4aB2Wxk
    YXA6Ly8vQ049anlvdW5ndGEtY2FzZXJ2ZXIoMSksQ049anlvdW5ndGEtY2FzZXJ2
    ZXIsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2Vz
    LENOPUNvbmZpZ3VyYXRpb24sREM9anlvdW5ndGEtbGFiZG9tYWluLERDPWNpc2Nv
    LERDPWNvbT9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xh
    c3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnSGWWh0dHA6Ly9qeW91bmd0YS1jYXNlcnZl
    ci5qeW91bmd0YS1sYWJkb21haW4uY2lzY28uY29tL0NlcnRFbnJvbGwvanlvdW5n
    dGEtY2FzZXJ2ZXIoMSkuY3JshkZodHRwOi8vanlvdW5ndGEtY2FzZXJ2ZXIuY2lz
    Y28uY29tL0NlcnRFbnJvbGwvanlvdW5ndGEtY2FzZXJ2ZXIoMSkuY3JsMIIBcQYI
    KwYBBQUHAQEEggFjMIIBXzCBxAYIKwYBBQUHMAKGgbdsZGFwOi8vL0NOPWp5b3Vu
    Z3RhLWNhc2VydmVyLENOPUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxD
    Tj1TZXJ2aWffffffffffffffffffffffffffffffffffffffffffffffffffffff
    ffffffffffffffffffffffffLWxhYmRvbWFp
    bixEQz1jaXNjbyxEQz1jb20/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNz
    PWNlcnRpZmljYXRpb25BdXRob3JpdHkwgZUGCCsGAQUFBzAChoGIaHR0cDovL2p5
    b3VuZ3RhLWNhc2VydmVyLmp5b3VuZ3RhLWxhYmRvbWFpbi5jaXNjby5jb20vQ2Vy
    dEVucm9sbC9qeW91bmd0YS1jYXNlcnZlci5qeW91bmd0YS1sYWJkb21haW4uY2lz
    Y28uY29tX2p5b3VuZ3RhLWNhc2VydmVyKDEpLmNydDAhBgkrBgEEAYI3FAIEFB4S
    AFcAZQBiAFMAZQByAHYAZQByMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3
    DQEBBQUAA4IBAQCayeYa7pauRGAgGPHmAHQt6iiqBsS+uVwArgO1u0HEjs4EkPm8
    xQZNexVBOmGyzTwlwjpD8jTDIO1AEWP67b/gB2xViktVqvaVfKfMR+3cxODoTUNJ
    DbMKR7tOyLrfv+7hNVcsKlAo+XpohVKdP4XOPXeEquYrTmzInsB55PtMxJ7qnYU6
    29kJUZdVQZUjZSy4dVhtVYVO9Gmj5XIkzUneS4QC7N/3CXGZQilH11PzulUvAAFh
    h2o6c7QgKtHGxOwrkXuPl6+GN4mV+uFXh1B5DTEXG7/yJNNE2yNN+Flb05yLcyEA
    Y0p/cksKkNhpRDh+YNT1uHa0AjY8fa1AJqpp
    -----END CERTIFICATE-----
    quit
    % Router Certificate successfully imported


    示例 2:

    crypto pki auth tac-cme
    Enter the base 64 encoded CA certificate.
    End with a blank line or the word "quit" on a line by itself
    -----BEGIN CERTIFICATE-----
    MIIFQTCCBCmgAwIBAgIQUt2XjpaAwaJIEkcOebj7AjANBgkqhkiG9w0BAQUFADBs
    MRMwEQYKCZImiZPyLGQBGRYDY29tMRUwEwYKCZImiZPyLGQBGRYFY2lzY28xIjAg
    BgoJkiaJk/IsZAEZFhJqeW91bmd0YS1sYWJkb21haW4xGjAYBgNVBAMTEWp5b3Vu
    Z3RhLWNhc2VydmVyMB4XDTEyMDgxMzE1NTczM1oXDTE3MDgxNDE2MDY0M1owbDET
    MBEGCgmSJomT8ixkARkWA2NvbTEVMBMGCgmSJomT8ixkARkWBWNpc2NvMSIwIAYK
    CZImiZPyLGQBGRYSanlvdW5ndGEtbGFiZG9tYWluMRowGAYDVQQDExFqeW91bmd0
    YS1jYXNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ2Cxwm6
    uX3/t3Ip9A5OnbKS1IL4MaTCVzev7tlZbusWLQcfJwOhjFNxJJpgY2yE8CjBsL4H
    eryNvcvUFfffffffffffffffffffffffffffffffffffffffffffffffffffffff
    ffffffffffffffffffffffffffU839yp
    lNm9VtF+MXC0L7dIpu1XRT7/lJgLDAI5alZg5wW6zC9xrgNS88cR1o45wsFTRpp8
    DC7nGuW0erm2/ISnfoNs/mUmfWbmoAbJjIrU+RHaQ7RrcXPWB3mEqC40eQtYJFZl
    tRE7DNwPriVBTpWCV+wo94DkHtn8/nc3FOWD0RIjU7Y66jG+umWSeqJh0xdZBak2
    +L9A6ZwCxyeuzg0CAwEAAaOCAd0wggHZMBMGCSsGAQQBgjcUAgQGHgQAQwBBMAsG
    A1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSy5dc14lYuF1hq
    yYnbrQAHPsISWzCCAUoGA1UdHwSCAUEwggE9MIIBOaCCATWgggExhoHWbGRhcDov
    Ly9DTj1qeW91bmd0YS1jYXNlcnZlcixDTj1qeW91bmd0YS1jYXNlcnZlcixDTj1D
    RFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29u
    ZmlndXJhdGlvbixEQz1qeW91bmd0YS1sYWJkb21haW4sREM9Y2lzY28sREM9Y29t
    P2NlcnRpZmffffffffffffffffffffffffffffffffffffffffffffffffffffff
    ffffffffffffffffffffffffffffffffjUkxE
    aXN0cmlidXRpb25Qb2ludIZWaHR0cDovL2p5b3VuZ3RhLWNhc2VydmVyLmp5b3Vu
    Z3RhLWxhYmRvbWFpbi5jaXNjby5jb20vQ2VydEVucm9sbC9qeW91bmd0YS1jYXNl
    cnZlci5jcmwwEgYJKwYBBAGCNxUBBAUCAwEAATAjBgkrBgEEAYI3FQIEFgQUWjZQ
    /W2X5GoSeibbuvAKHH8/97MwDQYJKoZIhvcNAQEFBQADggEBAI8nivQcicltdXnt
    X30+QO+FKK0Cu6WWFIozqKE0eeSJ0C3fPv88jjkae4+YjF/gK2wPt/mezWeQm0MO
    S4m0LHnMMZGU7ezAHTd+yh5oWI2Q2iBFnslvSIUboJZazNkDEFm7Dl8gDKajEvE/
    JUNtebgOJPJUXvV/v0Rpry1Nckxrn3tsiCF62acgAZke1hSrscoeqzkygk8vIr1K
    lv9W2Vy2TPa6i8ZWG8at36jAsNAk5HJUEl7mFyirMIJcc+diZ12WPoRqrQ+CE7ZL
    Mw+ydSS5x0XvFqily0VE649TsvtKCOMkJjbLLX8wZp9SU2AgXutHr3CdlrVlaElC
    ZW4J3cQ=
    -----END CERTIFICATE-----
    quit
    Certificate has the following attributes:
    Fingerprint MD5: C198A185 83575520 EBE6E03D 33BA9B2C 
    Fingerprint SHA1: B0A9668D 42D36311 E82B0A33 480127B5 BEB02B60
    % Do you accept this certificate? [yes/no]: yes
    Trustpoint CA certificate accepted.
    % Certificate successfully imported
     
    crypto pki import tac-cme cert
    % The fully-qualified domain name will not be included in the certificate
    Enter the base 64 encoded certificate.
    End with a blank line or the word "quit" on a line by itself
    -----BEGIN CERTIFICATE-----
    MIIGpjCCBY6gAwIBAgIKGdmLjgABAAABpTANBgkqhkiG9w0BAQUFADBsMRMwEQYK
    CZImiZPyLGQBGRYDY29tMRUwEwYKCZImiZPyLGQBGRYFY2lzY28xIjAgBgoJkiaJ
    k/IsZAEZFhJqeW91bmd0YS1sYWJkb21haW4xGjAYBgNVBAMTEWp5b3VuZ3RhLWNh
    c2VydmVyMB4XDTEyMDgyOTEzMzM0MVoXDTE0MDgyOTEzMzM0MVowFzEVMBMGA1UE
    AxMMam9jYXNhbGUtY21lMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
    uVz/50eRaTmlnvOKRFp9ZcZuqw3We6DVqsBMuTpQg0Bg/VQTgCa9NFD8LW2UXGO8
    YFANV8ABVn9q/1TET6Fg5YbcTePsd5/lNlL1zpSHiAtBuwfGzKKiMgZJ1XFYeb9p
    heqpTj2d22CoghFQnKbRUOPpjfPcElFq07/z5m7blEkAmsAQh2y+bIH5T7UNdgtf
    smLqWZMqIsMEvNEi3gbkPUTatmZlgFac1TXvxyIIv95rIeqs07WZXn0GsgkNsO3i
    CjcFY1UXxxYV5Wg/uPQlFnbRpTefd5Ms253Dm9Ey2E8v+E3HsOfn0JvpY4vIkKz2
    KDesetXsIOw747tf1wXHmQIDAQABo4IDnTCCA5kwDgYDVR0PAQH/BAQDAgWgMB0G
    A1UdDgQWBBR8xG8ZaDVcquSU+0n40KSH+7SmSDAfBgNVHSMEGDAWgBSy5dc14lYu
    F1hqyYnbrQAHPsISWzCCAZgGA1UdHwSCAY8wggGLMIIBh6CCAYOgggF/hoHZbGRh
    cDovLy9DTj1qeW91bmd0YS1jYXNlcnZlcigxKSxDTj1qeW91bmd0YS1jYXNlcnZl
    cixDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMs
    Q049Q29uZmlndXJhdGlvbixEQz1qeW91bmd0YS1sYWJkb21haW4sREM9Y2lzY28s
    REM9Y29tP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFz
    cz1jUkffffffffffffffffffffffffffffffffffffffffffffffffffffcDovL2
    p5b3VuZ3RhLWNhc2VydmVy
    Lmp5b3VuZ3RhLWxhYmRvbWFpbi5jaXNjby5jb20vQ2VydEVucm9sbC9qeW91bmd0
    YS1jYXNlcnZlcigxKS5jcmyGRmh0dHA6Ly9qeW91bmd0YS1jYXNlcnZlci5jaXNj
    by5jb20vQ2VydEVucm9sbC9qeW91bmd0YS1jYXNlcnZlcigxKS5jcmwwggFxBggr
    BgEFBQcBAQSCAWMwggFfMIHEBggrBgEFBQcwAoaBt2xkYXA6Ly8vQ049anlvdW5n
    dGEtY2FzZXJ2ZXIsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENO
    PVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9anlvdW5ndGEtbGFiZG9tYWlu
    LERDPWNpc2NvLERDPWNvbT9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9
    Y2VydGlmaWNhdGlvbkF1dGhvcml0eTCBlQYIKwYBBQUHMAKGgYhodHRwOi8vanlv
    dW5ndGEtY2FzZXJ2ZXIuanlvdW5ndGEtbGFiZG9tYWluLmNpc2NvLmNvbS9DZXJ0
    RW5yb2xsL2p5b3VuZ3RhLWNhcfffffffffffffffffffffffffffffffffffffff
    ffffffffffffffffffFpbi5jaXNj
    by5jb21fanlvdW5ndGEtY2FzZXJ2ZXIoMSkuY3J0MCEGCSsGAQQBgjcUAgQUHhIA
    VwBlAGIAUwBlAHIAdgBlAHIwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcN
    AQEFBQADggEBAHNVNEMcys1z4sXGiI2jZzT5Nt/q8dLl4LCJ2iZkmS3F8tG14UEf
    C/e28VWavV4piIXK4FuZKB1iltOo9MZAGH9PvVEO+yG8zpeIcwOgDq951qJejeBA
    +N+ryCFy5TEbiMF3pw1XjdbBAProJ1s1Q0QcjoigPNtPyqRfehdlhMUo4NgC/svX
    5VZSfxpagaBhdpUNVYo2s0ujXujuI/aTRpbDan2h7n27tMMBtDcocpQgPv6txDoR
    b+Qb8CPZt3IvuEXAru4cRv1O1jYUWlY59ta5uELSnA+2WA36PiMxIyLu67W1RI05
    1rFcBOmIQ8vTpqyNp8/TFOpOSnQMO30w9Fs=
    -----END CERTIFICATE-----
    quit
    % Router Certificate successfully imported
  6. 一旦CA和身份证书都加载到各自的信任点,请验证每个信任点的证书链。此步骤确保已成功完成上述步骤。

    crypto pki cert validate tac-cme
    Chain has 2 certificates
    Certificate chain for tac-cme is valid
     
    crypto pki cert validate tac-sast
    Chain has 2 certificates
    Certificate chain for tac-sast is valid
  7. 创建IOS CA CME信任点。 

    由于IOS-CA信任点不能用于客户端身份验证(与电话的传输级安全(TLS)连接),因此您必须创建另一个信任点并将IOS-CA证书放入其中。

    此信任点仅用于授权IP电话的TLS连接请求(以便它们能够正确注册)。

    crypto pki trust ios-ca-cme
    enroll url http://10.2.3.4:80
    revo none
    rsakey ios-ca
    exit

    crypto pki auth ios-ca-cme
    Certificate has the following attributes:
    Fingerprint MD5: 0120A3AB 44155DF9 091F31BF C3E26B80 
    Fingerprint SHA1: 90F9DDDE 20A792B5 3693A065 8BDAD50E 588E011C
    % Do you accept this certificate? [yes/no]: yes
    Trustpoint CA certificate accepted.
  8. 配置CTL客户端。 

    ctl-client
    server capf 10.2.3.4 trust tac-cme
    server cme-tftp 10.2.3.4 trust tac-cme
    sast1 trust tac1-cme
    sast2 trust tac-sast
    regenerate

    注意:确保CTL文件已成功创建:

    do sh flash | iCTL
    58 8642 Aug 29 2012 13:57:22 +00:00 CTLFile.tlv
  9. 配置CAPF服务器。

    capf-server
    auth-mode null-string
    cert-enroll-trust ios-ca pass 0 null
    trustpoint-label tac-cme
    source-addr 10.2.3.4
    end
  10. 配置电话服务。

    confi t
    Enter configuration commands, one per line. End with CNTL/Z.
    telephony-service
    secure-signaling trust tac-cme
    tftp-server-credentials trust tac-cme
    server-security-mode secure
    cnf-file perphone
    device-security-mode encrypted
    exit
  11. 配置测试电话(ephone)以升级其证书并使用加密模式。
    ephone 1
    capf-ip-in-cnf
    cert-oper upgrade auth-mode null
    device-security-mode encrypted
    telephony-service
    cre cnf
    Creating CNF files
    CNF-FILES: Clock is not set or synchronized, retaining old versionStamps
    end

    完成配置后,重置电话并等待其注册。

    注意:在重置电话之前,请确保没有安全配置。如果存在安全配置,则必须在注册到安全Cisco Unified CME之前手动删除或完成测试电话的出厂重置。

    要重置电话,请执行以下命令:

    confi t
    ephone 1
    reset
    end

    电话收到更新的LSC后,cert-oper upgrade auth-mode null-string命令即被删除。

    do sh run | sec ephone
    ephone 1
    device-security-mode encrypted
    mac-address ABCD.ABCD.ABCD
    type 7960
    capf-ip-in-cnf
    button 1:1
    sh ephone
  12. 验证电话是否已同时注册了身份验证和加密。

    sh ephone
    ephone-1[0] Mac:ABCD.ABCD.ABCD TCP 
    socket:[2] activeLine:0 whisperLine:0 
    REGISTERED in SCCP ver 11/9 
    max_streams=0 + Authentication + Encryption with TLS connection
    mediaActive:0 whisper_mediaActive:0 
    startMedia:0 offhook:0 ringing:0 reset:0 
    reset_sent:0 paging 0 debug:0 caps:8 
    IP:10.2.3.10 * 51685 Telecaster 7960 
    keepalive 4 max_line 6 available_line 6
    button 1: cw:1 ccw:(0 0) 
    dn 1 number 2090 CH1 IDLE CH2 IDLE 
    Preferred Codec: g711ulaw 
    Lpcor Type: none

安全Cisco Unified CME应能与第3方证书完全兼容。

相关信息

修订历史记录

版本 发布日期 备注
1.0
15-Apr-2013
初始版本
TAC Authored

由思科工程师提供

  • John Casale and Justin Betz
    Cisco TAC Engineers.

此文档是否有帮助?

Feedback反馈

联系我们

本文档适用于以下产品