Https With Client Certificate Authentication; Authenticate Https With Client Certificate - Cisco 8800 Series Manual
Hide thumbs
Also See for 8800 Series:
- Administration manual (406 pages) ,
- User manual (218 pages) ,
- Hardware installation manual (140 pages)
Table of Contents
Advertisement
HTTPS with Client Certificate Authentication
Step 6
Copy the basic.txt configuration file (described in
directory of the HTTPS server.
Step 7
Verify proper server operation by downloading basic.txt from the HTTPS server by using a standard
browser from the local PC.
Step 8
Inspect the server certificate that the server supplies.
The browser probably does not recognize the certificate as valid unless the browser has been pre-configured
to accept Cisco as a root CA. However, the phones expect the certificate to be signed this way.
Modify the Profile_Rule of the test device to contain a reference to the HTTPS server, for example:
<Profile_Rule>
https://my.server.com/basic.txt
</Profile_Rule>
This example assumes the name of the HTTPS server is my.server.com.
Step 9
Click Submit All Changes.
Step 10
Observe the syslog trace that the phone sends.
The syslog message should indicate that the resync obtained the profile from the HTTPS server.
Step 11
(Optional) Use an Ethernet protocol analyzer on the phone subnet to verify that the packets are encrypted.
In this exercise, client certificate verification was not enabled. The connection between the phone and server
is encrypted. However, the transfer is not secure because any client can connect to the server and request the
file, given knowledge of the file name and directory location. For secure resync, the server must also authenticate
the client, as demonstrated in the exercise described in
58.
HTTPS with Client Certificate Authentication
In the factory default configuration, the server does not request an SSL client certificate from a client. Transfer
of the profile is not secure because any client can connect to the server and request the profile. You can edit
the configuration to enable client authentication; the server requires a client certificate to authenticate the
phone before it accepts a connection request.
Because of this requirement, the resync operation cannot be independently tested by using a browser that
lacks the proper credentials. The SSL key exchange within the HTTPS connection between the test phone
and the server can be observed with the ssldump utility. The utility trace shows the interaction between client
and server.
Authenticate HTTPS with Client Certificate
Procedure
Step 1
Enable client certificate authentication on the HTTPS server.
Step 2
In Apache (v.2), set the following in the server configuration file:
Cisco IP Phone 8800 Series Multiplatform Phone Administration Guide for Release 11.3(1) and Later
58
TFTP Resync, on page
41) onto the virtual root
HTTPS with Client Certificate Authentication, on page
Cisco IP Phone Provisioning
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
