Certificate Enrollment
The Certificate Authentication Proxy Function (CAPF) allows a local certificate authority to issue certificates to phones which can then be used to authenticate SIP-TLS and VPN connections. There are two types of certificate on the phone.| MIC | Manufacturer Installed Certificate, issued at the factory by Cisco with a 10 year expiry. It cannot be updated and is used when no LSC is present. |
| LSC | Locally Significant Certificate, issued by CAPF and can be updated and deleted. When installed this certificate is used instead of the MIC. |
Using the Manufacturer Installed Certificate (MIC) to authenticate a phone does not require CAPF. Instead download and combine the Cisco Root CA 2048 (crca2048) and Cisco Manufacturing CA (cmca2) certificates available at open_in_browser https://www.cisco.com/security/pki into a certificate chain.
To enable use of CAPF set <
processNodeName> and <phonePort> in SEPMAC.cnf.xml and include a certificate with the CAPF role in ITLFile.tlv or via the Trust Verification Service. An archive containing the server and client utilities can be downloaded from the URL below.file_download daemons-3.2.tar.gz (28K) event 05/03/2023 security SHA256:e499cf6338397c323db120cc52da9361a98f3ab091d686fe783de1032ea32be6.
capfctl link
Thecapfctl utility is used to manage the database file used by capfd. The following sets the device to install a new certificate when it connects to CAPF without requiring a password to the database file in /var/lib/capf. Once a phone has completed the specified operation the current operation will revert to none.~/daemons-X.X$ sudo --user capf ./capfctl /var/lib/capf/capf.sqlite3 --install SEP58971ECC97C1
An RSA key will be generated by default. Newer phone models support EC (Elliptic Curve) keys, specifying a curve will have the phone generate an EC key instead. Note:
ITLFile.tlv must have a version of 1.1 to enable EC support on the phone, see Device Security for more information.~/daemons-X.X$ sudo --user capf ./capfctl /var/lib/capf/capf.sqlite3 --install SEP58971ECC97C1 \
--curve secp384r1
Optionally specify a password that the phone must provide to authenticate with CAPF. See SEPMAC.cnf.xml for more information.
~/daemons-X.X$ sudo --user capf ./capfctl /var/lib/capf/capf.sqlite3 --install SEP58971ECC97C1 \
--password 123456
Optionally specify that phone will authenticate with the CAPF using both the LSC (if installed) and MIC. See below for additional command line options to
capfd to authenticate the MIC.~/daemons-X.X$ sudo --user capf ./capfctl /var/lib/capf/capf.sqlite3 --install SEP58971ECC97C1 \
--certificate
The LSC certificate can be deleted from the phone.
~/daemons-X.X$ sudo --user capf ./capfctl /var/lib/capf/capf.sqlite3 --delete SEP58971ECC97C1
Devices can be removed from the database when no longer required.
~/daemons-X.X$ sudo --user capf ./capfctl /var/lib/capf/capf.sqlite3 --remove SEP58971ECC97C1
A list of devices in the database file can be shown.
~/daemons-X.X$ ./capfctl /var/lib/capf/capf.sqlite3 --list
Supported CAPF operations are listed below.
| Install | Install a new LSC |
| Delete | Delete the LSC |
| Fetch | Fetch the LSC |
| None | No change to the LSC |
capfd link
The Certificate Authentication Proxy Function requires an RSA key and X509 certificate, if you already have a certificate that can be used instead. Otherwise a new certificate can be generated usingmkcert. See Device Security for more information.~/certutils-X.X$ sudo ./mkcert --common "CAPF" --organization "CAPF" --unit "CAPF" \
/var/lib/capf/capf.pem
Add the CAPF certificate to
ITLFile.tlv using tlvfile and restart phones to have them download the new version. Alternatively use TVS to verify the CAPF certificate, see Trust Verification for more information.~/certutils-X.X$ sudo ./tlvfile --build /var/lib/tftpboot/ITLFile.tlv --sast /etc/ssl/private/sast.pem \
--capf /var/lib/capf/capf.pem ...
Run the daemon by specifying the path to the database file and the certificate that has the
CAPF role. INSTALL.md has example instructions to run the daemon as a service. Issued certificates are stored in the database and also saved to a file based on the device name, by default the directory used is the same as the database file.~/daemons-X.X$ sudo --user capf ./capfd /var/lib/capf/capf.sqlite3 --capf /var/lib/capf/capf.pem
An optional issuer certificate can be specified to sign the new certificates, otherwise the CAPF certificate is used.
~/daemons-X.X$ sudo --user capf ./capfd /var/lib/capf/capf.sqlite3 --capf /var/lib/capf/capf.pem \
--issuer /var/lib/capf/issuer.pem --days 90
If the phone has been configured to authenticate using a certificate then the Cisco Manufacturing CA (cmca2) certificate used to sign the phone's MIC must also be specified. The verify option may be specified multiple times to validate additional issuers, the certificate used to issue an LSC is automatically used for verification.
~/daemons-X.X$ sudo --user capf ./capfd /var/lib/capf/capf.sqlite3 --capf /var/lib/capf/capf.pem \
--verify /var/lib/capf/cmca2.pem
capfc link
capfc is a command line client that connects to capfd to perform the current operation. This can be used to debug certificate enrollment failures.