Certificate EnrollmentThe Certificate Authentication Proxy Function (CAPF) allows a local certificate authority to issue certificates to phones which can then be used to authenticate SIP-TLS and VPN connections. There are two types of certificate on the phone.
|MIC||Manufacturer Installed Certificate, issued at the factory by Cisco with a 10 year expiry. It cannot be updated and is used when no LSC is present.|
|LSC||Locally Significant Certificate, issued by CAPF and can be updated and deleted. When installed this certificate is used instead of the MIC.|
Using the Manufacturer Installed Certificate (MIC) to authenticate a phone does not require CAPF. Instead download and combine the Cisco Root CA 2048 and Cisco Manufacturing CA 2 certificates available at open_in_browser https://www.cisco.com/security/pki into a certificate chain.
To enable use of CAPF set <
processNodeName> and <
phonePort> in SEPMAC.cnf.xml and include a certificate with the
ITLFile.tlvor via the Trust Verification Service. An archive containing the server and client utilities can be downloaded from the URL below.
file_download daemons-1.8.tar.gz (23K) event 07/09/2021 security SHA256:b74a9ae680a0fe1da9f2e3ecad9e732673573630f71348e1baa8f42322cca240.
capfctlutility is used to manage the database file used by
capfd. The following sets the device to install a new certificate when it connects to CAPF without requiring a password to the database file in
~/daemons-X.X$ sudo -u capf ./capfctl /var/lib/capf/capf.sqlite3 --set SEP58971ECC97C1 --operation INSTALL
If the device already exists in the database file the settings will be overwritten. The LSC certificate can be deleted from the phone by setting the operation to
DELETE. Once a phone has completed the specified operation it will will revert to
~/daemons-X.X$ sudo -u capf ./capfctl /var/lib/capf/capf.sqlite3 --set SEP58971ECC97C1 --operation DELETE
A list of devices in the database file can be shown.
~/daemons-X.X$ ./capfctl /var/lib/capf/capf.sqlite3 --list
Supported CAPF operations are listed below.
|INSTALL||Install a new LSC certificate|
|DELETE||Delete the LSC certificate|
|FETCH||Fetch the LSC certificate|
capfd linkThe Certificate Authentication Proxy Function requires an RSA key and X509 certificate, if you already have a certificate that can be used instead. Otherwise a new certificate can be generated using
mkcert. See Device Security for more information.
~/certutils-X.X$ sudo ./mkcert --common "CAPF" --organization "CAPF" /var/lib/capf/capf.pem
Add the CAPF certificate to
tlvfileand restart phones to have them download the new version. Alternatively use TVS to verify the CAPF certificate, see Trust Verification for more information.
~/certutils-X.X$ sudo ./tlvfile --build /var/lib/tftpboot/ITLFile.tlv --sast /etc/ssl/private/sast.pem \ --capf /var/lib/capf/capf.pem ...
Run the daemon by specifying the path to the database file and the certificate that has the
INSTALL.mdhas example instructions to run the daemon as a service. Issued certificates are stored in the database and also saved to a file based on the device name, by default the directory used is the same as the database file.
~/daemons-X.X$ sudo -u capf ./capfd /var/lib/capf/capf.sqlite3 --capf /var/lib/capf/capf.pem
An optional issuer certificate can be specified to sign the new certificates, otherwise the CAPF certificate is used.
~/daemons-X.X$ sudo -u capf ./capfd /var/lib/capf/capf.sqlite3 --capf /var/lib/capf/capf.pem \ --issuer /var/lib/capf/issuer.pem --days 90
capfcis a command line client that connects to
capfdto perform the current operation. This can be used to debug certificate enrollment failures.