Provisioning Cisco Small Business VoIP Devices
Using HTTPS
Cisco Small Business IP Telephony Devices Provisioning Guide
Client Certificates
In addition to a direct attack on an IP Telephony Device, an attacker might attempt
to contact a provisioning server by using a standard web browser or other HTTPS
client, to obtain the configuration profile from the provisioning server. To prevent
this kind of attack, each IP Telephony Device also carries a unique client
certificate, also signed by Cisco, including identifying information about each
individual endpoint. A certificate authority root certificate capable of
authenticating the device client certificate is given to each service provider. This
authentication path allows the provisioning server to reject unauthorized requests
for configuration profiles.
Certificate Structure
The combination of a server certificate and a client certificate ensures secure
communication between a remote IP Telephony Device and its provisioning server.
The
"Certificate Authority Flow"
of certificates, public/private key pairs, and signing root authorities, among the
Cisco client, the provisioning server, and the certification authority.
The upper half of the diagram shows the Provisioning Server Root Authority, which
is used to sign the individual provisioning server certificate. The corresponding
root certificate is compiled into the firmware, allowing the IP Telephony Device to
authenticate authorized provisioning servers.
figure illustrates the relationship and placement
1
21