Provisioning Cisco Small Business VoIP Devices
Using HTTPS
Cisco Small Business IP Telephony Devices Provisioning Guide
Client Certificates
In addition to a direct attack on an IP Telephony device, an attacker might attempt
to contact a provisioning server by using a standard web browser or another
HTTPS client to obtain the configuration profile from the provisioning server. To
prevent this kind of attack, each IP Telephony device also carries a unique client
certificate, also signed by Cisco, including identifying information about each
individual endpoint. A certificate authority root certificate capable of
authenticating the device client certificate is given to each service provider. This
authentication path allows the provisioning server to reject unauthorized requests
for configuration profiles.
Certificate Structure
The combination of a server certificate and a client certificate ensures secure
communication between a remote IP Telephony device and its provisioning server.
The
Certificate Authority Flow
certificates, public/private key pairs, and signing root authorities, among the Cisco
client, the provisioning server, and the certification authority.
The upper half of the diagram shows the Provisioning Server Root Authority that is
used to sign the individual provisioning server certificate. The corresponding root
certificate is compiled into the firmware, allowing the IP Telephony device to
authenticate authorized provisioning servers.
figure illustrates the relationship and placement of
1
18