Certificate Enrollment

The Certificate Authentication Proxy Function (CAPF) allows a local certificate authority to issue certificates to phones which can then be used to authenticate SIP-TLS and VPN connections. There are two types of certificate on the phone.

MIC Manufacturer Installed Certificate, issued at the factory by Cisco with a 10 year expiry. It cannot be updated and is used when no LSC is present.
LSC Locally Significant Certificate, issued by CAPF and can be updated and deleted. When installed this certificate is used instead of the MIC.

Using the Manufacturer Installed Certificate (MIC) to authenticate a phone does not require CAPF. Instead download and combine the Cisco Root CA 2048 (crca2048) and Cisco Manufacturing CA (cmca2) certificates available at open_in_browser https://www.cisco.com/security/pki into a certificate chain.

To enable use of CAPF set <processNodeName> and <phonePort> in SEPMAC.cnf.xml and include a certificate with the CAPF role in ITLFile.tlv or via the Trust Verification Service. An archive containing the server and client utilities can be downloaded from the URL below.

file_download daemons-3.3.tar.gz (28K) event 08/05/2024 security SHA256:acd9914294124b2ae75cac71e97cde8b1a0036b1202954fc1d04a3fdd1e37310.

capfctl link

The capfctl utility is used to manage the database file used by capfd. The following sets the device to install a new certificate when it connects to CAPF without requiring a password to the database file in /var/lib/capf. Once a phone has completed the specified operation the current operation will revert to none.

~/daemons-X.X$ sudo --user capf ./capfctl /var/lib/capf/capf.sqlite3 --install SEP58971ECC97C1
An RSA key will be generated by default. Newer phone models support EC (Elliptic Curve) keys, specifying a curve will have the phone generate an EC key instead. Note: ITLFile.tlv must have a version of 1.1 to enable EC support on the phone, see Device Security for more information.

~/daemons-X.X$ sudo --user capf ./capfctl /var/lib/capf/capf.sqlite3 --install SEP58971ECC97C1 \ --curve secp384r1
Optionally specify a password that the phone must provide to authenticate with CAPF. See SEPMAC.cnf.xml for more information.

~/daemons-X.X$ sudo --user capf ./capfctl /var/lib/capf/capf.sqlite3 --install SEP58971ECC97C1 \ --password 123456
Optionally specify that phone will authenticate with the CAPF using both the LSC (if installed) and MIC. See below for additional command line options to capfd to authenticate the MIC.

~/daemons-X.X$ sudo --user capf ./capfctl /var/lib/capf/capf.sqlite3 --install SEP58971ECC97C1 \ --certificate
The LSC certificate can be deleted from the phone.

~/daemons-X.X$ sudo --user capf ./capfctl /var/lib/capf/capf.sqlite3 --delete SEP58971ECC97C1
Devices can be removed from the database when no longer required.

~/daemons-X.X$ sudo --user capf ./capfctl /var/lib/capf/capf.sqlite3 --remove SEP58971ECC97C1
A list of devices in the database file can be shown.

~/daemons-X.X$ ./capfctl /var/lib/capf/capf.sqlite3 --list
Supported CAPF operations are listed below.

Install Install a new LSC
Delete Delete the LSC
Fetch Fetch the LSC
None No change to the LSC

capfd link

The Certificate Authentication Proxy Function requires an RSA key and X509 certificate, if you already have a certificate that can be used instead. Otherwise a new certificate can be generated using mkcert. See Device Security for more information.

~/certutils-X.X$ sudo ./mkcert --common "CAPF" --organization "CAPF" --unit "CAPF" \ /var/lib/capf/capf.pem
Add the CAPF certificate to ITLFile.tlv using tlvfile and restart phones to have them download the new version. Alternatively use TVS to verify the CAPF certificate, see Trust Verification for more information.

~/certutils-X.X$ sudo ./tlvfile --build /var/lib/tftpboot/ITLFile.tlv --sast /etc/ssl/private/sast.pem \ --capf /var/lib/capf/capf.pem ...
Run the daemon by specifying the path to the database file and the certificate that has the CAPF role. INSTALL.md has example instructions to run the daemon as a service. Issued certificates are stored in the database and also saved to a file based on the device name, by default the directory used is the same as the database file.

~/daemons-X.X$ sudo --user capf ./capfd /var/lib/capf/capf.sqlite3 --capf /var/lib/capf/capf.pem
An optional issuer certificate can be specified to sign the new certificates, otherwise the CAPF certificate is used.

~/daemons-X.X$ sudo --user capf ./capfd /var/lib/capf/capf.sqlite3 --capf /var/lib/capf/capf.pem \ --issuer /var/lib/capf/issuer.pem --days 90
If the phone has been configured to authenticate using a certificate then the Cisco Manufacturing CA (cmca2) certificate used to sign the phone's MIC must also be specified. The verify option may be specified multiple times to validate additional issuers, the certificate used to issue an LSC is automatically used for verification.

~/daemons-X.X$ sudo --user capf ./capfd /var/lib/capf/capf.sqlite3 --capf /var/lib/capf/capf.pem \ --verify /var/lib/capf/cmca2.pem

capfc link

capfc is a command line client that connects to capfd to perform the current operation. This can be used to debug certificate enrollment failures.