PKI Enrollment in Cisco IP Telephony
To obtain a signed certificate, an IP phone needs to enroll with the entity that will issue (sign) the certificate. During enrollment, the phone will get the certificate of the issuer and then send its data to the issuer asking for a (signed) certificate. IP phone enrollment depends on the type of certificate.
With MICs, enrollment was already done by Cisco manufacturing during production. When the IP phone is shipped to the customer, it already has its public and private keys, a certificate issued by the Cisco manufacturing CA, and the certificate of the Cisco manufacturing CA installed. No other PKI provisioning tasks are required. MICs always remain on the phone, even if an LSC is added.
With LSCs, enrollment has to be done by the customer.
Note
If the IP phone has both a MIC and an LSC, the LSC has priority.
CAPF Acting as a CA
To obtain an LSC from the CAPF acting as a CA, an IP phone has to enroll with the CAPF, as shown in Figure 26-9.
Figure 26-9. CAPF Enrollment Process
The CAPF enrollment process is as follows:
- The IP phone generates its public and private key pairs.
- The IP phone downloads the certificate of the CAPF and uses it to establish a TLS session with the CAPF.
- The IP phone enrolls with the CAPF, sending its identity, its public key, and an optional authentication string.
- The CAPF issues a certificate for the IP phone signed with its private key.
- The CAPF sends the signed certificate to the IP phone.
CAPF Acting as a Proxy to an External CA
If an IP phone should obtain an LSC from an external CA using the CAPF as a proxy, the IP phone has to enroll with the external CA, as shown in Figure 26-10.
Figure 26-10. CAPF External CA Enrollment Process
The external CA enrollment process occurs as follows:
- The IP phone generates its public and private key pairs.
- The IP phone downloads the certificate of the CAPF and uses it to establish a TLS session with the CAPF.
- The IP phone sends an enrollment request to the CAPF, including its identity, its public key, and an optional authentication string.
- The CAPF forwards the request to the external CA.
- The external CA issues a certificate for the IP phone signed with the private key of the CA.
- The external CA sends the signed IP phone certificate to the CAPF.
- The CAPF sends the signed IP phone certificate to the phone.
Категории