Specifications
Setting Up Secure Survivable Remote Site Telephony
Information About Setting Up Secure SRST
110
Cisco Unified Survivable Remote Site Telephony Version 4.0 System Administrator Guide
Secure SRST Authentication and Encryption
Figure 4 illustrates the process of secure SRST authentication and encryption, and Table 8 describes the
process.
Figure 4 Secure SRST Authentication and Encryption
Table 8 Overview of the Process of Secure SRST Authentication and Encryption
Process Steps Description or Detail
1. The CA server, whether it is a Cisco IOS router CA or a third-party CA, issues a
device certificate to the SRST gateway, enabling credentials service. Optionally, the
certificate can be self-generated by the SRST router using a Cisco IOS CA server.
The CA router is the ultimate trustpoint for the Certificate Authority Proxy Function
(CAPF). For more information on CAPF, see the Cisco CallManager Security Guide.
2. The CAPF is a process where supported devices can request a locally significant
certificate (LSC). The CAPF utility generates a key pair and certificate that is specific
for CAPF, copies this certificate to all Cisco Unified CallManager servers in the
cluster, and provides the LSC to the Cisco Unified IP Phone.
An LSC is required for Cisco Unified IP Phones that do not have a manufacturing
installed certificate (MIC). The Cisco 7970 is equipped with a MIC and therefore does
not need to go through the CAPF process.
3. Cisco Unified CallManager requests the SRST certificate from credentials server, and
the credentials server responds with the certificate.
4. For each device, Cisco Unified CallManager uses the TFTP process and inserts the
certificate into the SEPMACxxxx.cnf.xml configuration file of the Cisco Unified IP
Phone.
155101
SRST
LSC
7940/7960
MIC
7970
IP phone
TLS handshake
CAPF TFTP
Cisco Unified CallManager
Cisco IOS router CA
or third-party CA
SEPMACxxxx.cnf.xml
LSC/MIC
SRST cert
SRST cert
SRST cert
Credentials
service
V
IP
2 4
4
6
6b 6a
5 3 1