Certificate Enrollment

The Certificate Authentication Proxy Function (CAPF) allows a local certificate authority to issue certificates to phones which can then be used to authenticate SIP-TLS and VPN connections. There are two types of certificate on the phone.

MIC Manufacturer Installed Certificate, issued at the factory by Cisco with a 10 year expiry. It cannot be updated and is used when no LSC is present.
LSC Locally Significant Certificate, issued by CAPF and can be updated and deleted. When installed this certificate is used instead of the MIC.

Using the Manufacturer Installed Certificate (MIC) to authenticate a phone does not require CAPF. Instead download and combine the Cisco Root CA 2048 and Cisco Manufacturing CA 2 certificates available at open_in_browser https://www.cisco.com/security/pki into a certificate chain.

To enable use of CAPF set <processNodeName> and <phonePort> in SEPMAC.cnf.xml and include a certificate with the CAPF role in ITLFile.tlv or via the Trust Verification Service. An archive containing the server and client utilities can be downloaded from the URL below.

file_download daemons-1.7.tar.gz (22K) event 20/07/2021 security SHA256:76c9711e001cfa2d261efecb051bc1b63686d315d3ebb7c3b8a015c150e1b757.

capfctl link

The capfctl utility is used to manage the database file used by capfd. The following sets the device to install a new certificate when it connects to CAPF without requiring a password to the database file in /var/lib/capf.

~/daemons-X.X$ sudo ./capfctl /var/lib/capf/capf.sqlite3 --set SEP58971ECC97C1 --operation INSTALL
If the device already exists in the database file the settings will be overwritten. The LSC certificate can be deleted from the phone by setting the operation to DELETE. Once a phone has completed the specified operation it will will revert to NONE.

~/daemons-X.X$ sudo ./capfctl /var/lib/capf/capf.sqlite3 --set SEP58971ECC97C1 --operation DELETE
A list of devices in the database file can be shown.

~/daemons-X.X$ ./capfctl /var/lib/capf/capf.sqlite3 --list
Supported CAPF operations are listed below.

INSTALL Install a new LSC certificate
DELETE Delete the LSC certificate
FETCH Fetch the LSC certificate
NONE No operation

capfd link

The Certificate Authentication Proxy Function requires an RSA key and X509 certificate, if you already have a certificate that can be used instead. Otherwise a new certificate can be generated using mkcert. See Device Security for more information.

~/certutils-X.X$ sudo ./mkcert --common "CAPF" --organization "CAPF" /var/lib/capf/capf.pem
Add the CAPF certificate to ITLFile.tlv using tlvfile and restart phones to have them download the new version. Alternatively use TVS to verify the CAPF certificate, see Trust Verification for more information.

~/certutils-X.X$ sudo ./tlvfile --build /var/lib/tftpboot/ITLFile.tlv --sast /etc/ssl/private/sast.pem \ --capf /var/lib/capf/capf.pem ...
Run the daemon by specifying the path to the database file and the certificate that has the CAPF role. INSTALL.md has example instructions to run the daemon as a service. Issued certificates are stored in the database and also saved to a file based on the device name, by default the directory used is the same as the database file.

~/daemons-X.X$ ./capfd /var/lib/capf/capf.sqlite3 --capf /var/lib/capf/capf.pem
An optional issuer certificate can be specified to sign the new certificates, otherwise the CAPF certificate is used.

~/daemons-X.X$ ./capfd /var/lib/capf/capf.sqlite3 --capf /var/lib/capf/capf.pem \ --issuer /var/lib/capf/issuer.pem --days 90

capfc link

capfc is a command line client that connects to capfd to perform the current operation. This can be used to debug certificate enrollment failures.