Typically , in a PKI, there is a singme Certificate Authority (CA) or hierarchy of CA to issue certificates. However, several other elements can play this role too:

  • Self-signed certificates : These are certificates self-signed by the Call Manager,TFTP and the Certificate Authority Proxy Function (CAPF)
  • Certificates signed by the CAPF or external CA : These are issued as Locally Significant Certificates (LSC) to IP phones
  • Certificates signed by the Cisco CA : Some IP phones models are shipped with manufacturing installed certificates (MIC)

All these certificates types are necessary to carry out functions such as authentication and encryption of voice signaling and media traffic, authentication of images and authentication of configurations files.

To facilitate the distribution of the certificates to IP Phones, you can create a Cisco Trust List (CTL) which is created by a plugin that you install on a Windows server or a desktop. This CTL client will collapse all informations of trusted certificates entities to be issue in a file.This file will be signed by the Cisco Site Administrator Security Token (SAST). Then once the phone will initiate their boot-up sequence , they will be able to use this CTL list from the TFTP to validate server certificates and security tokens. This will also enabled secure communications and file authentications. Here are what you can find as elements in your CTL file:

  • Call Manager or TFTP
  • Co-resident Call Manager and TFTP
  • CAPF
  • Alternate TFTP server
  • SAST

So the informations that you will find for these entries will be

  • PKI
  • Server function
  • IP Address

As we have already mentioned it , don’t forget that new IP Phones models come with an existing certificates , it is installed at the factory , this is called MIC. So even if these certificates are good, it is recommended to replace them by LSC so that you ensure a global solution for all your phones and not a mixed solution. LSC can be issued by the CAPF or an external CA with a transiting CAPF as it will act as a proxy when phones enroll.