Information Technology Reference
In-Depth Information
Managing Certificates in a Cisco IP Telephony Network
Typically, in a PKI, there is a single certificate authority (CA) or hierarchy of CAs to issue certificates. In a Cisco IP telephony
network, however, several elements have the capability to issue certificates:
Self-signed certificates:
These are certificates self-signed by the CUCM, TFTP server, and Certificate Authority Proxy
Function (CAPF).
■
Certificates signed by the CAPF or an external CA:
These are issued as locally significant certificates (LSC) to Cisco IP
phones.
■
Certificates signed by the Cisco CA:
Certain Cisco IP phone models are shipped with manufacturing installed certificates
(MIC).
■
All these certificate types are necessary to carry out functions such as authentication and encryption of voice signaling and media
traffic, authentication of images, and authentication of configuration files. But, to ease the distribution of certain certificates to Cisco
IP phones a Cisco Trust List (CTL) is created using a CTL Client. The CTL Client is a plug-in that can be installed on a Windows
2000 server or workstation.
A CTL is used to supply a list of trusted items signed by the Cisco Site Administrator Security Token (SAST, a hardware portable
security module). Cisco IP phones can use this CTL to validate server certificates and security tokens and to enable secure
communications and file authentication.
The CTL file consists of the following entries:
CUCM or Cisco TFTP
■
CUCM and Cisco TFTP on the same server
■
CAPF
■
Alternate Cisco TFTP
■
SAST
■
