Specifications

ManualsBrandsCisco ManualsComputer equipment7935 - IP Conference Station VoIP Phone

121

122

123

124

125

126

127

128

129

130

Setting Up Secure Survivable Remote Site Telephony

How to Configure Secure SRST

113

Cisco Unified Survivable Remote Site Telephony Version 4.0 System Administrator Guide

How to Configure Secure SRST

The following configuration sections ensure that the secure SRST router and the Cisco IP phones can

request mutual authentication during the TLS handshake. The TLS handshake occurs when the phone

registers with the SRST router, either before or after the WAN link fails.

This section contains the following procedures:

• Preparing the SRST Router for Secure Communication, page 113 (required)

• Importing Phone Certificate Files in PEM Format to the Secure SRST Router, page 122 (required)

• Configuring Cisco Unified CallManager to the Secure SRST Router, page 129 (required)

• Enabling SRST Mode on the Secure SRST Router, page 132 (required)

• Verifying Phone Status and Registrations, page 134 (required)

Preparing the SRST Router for Secure Communication

The following tasks prepare the SRST router to process secure communications.

• Configuring a Certificate Authority Server on a Cisco IOS Certificate Server, page 113 (optional)

• Autoenrolling and Authenticating the Secure SRST Router to the CA Server, page 115 (required)

• Disabling Automatic Certificate Enrollment, page 118 (required)

• Verifying Certificate Enrollment, page 118 (optional)

• Enabling Credentials Service on the Secure SRST Router, page 120 (required)

• Troubleshooting Credential Settings, page 121 (optional)

Configuring a Certificate Authority Server on a Cisco IOS Certificate Server

For SRST routers to provide secure communications, there must be a CA server that issues the device

certificate in the network. The CA server can be a third-party CA or one generated from a Cisco IOS

certificate server.

The Cisco IOS certificate server provides a certificate generation option to users who do not have a

third-party CA in their network. The Cisco IOS certificate server can run on the SRST router or on a

different Cisco IOS router.

If you do not have a third-party CA, full instructions on enabling and configuring a CA server can be

found in the Cisco IOS Certificate Server documentation. A sample configuration is provided below.

SUMMARY STEPS

1. crypto pki server cs-label

2. database level {minimal | names | complete}

3. database url root-url

4. issuer-name DN-string

5. grant auto

6. no shutdown