McDewey

Multi-vendor documentation library · semantic search · MCP endpoint at /mcp

Page 90

↗ View in doc context
page
90
source
cucm/v15/security-guide/security-guide.md
chunk_id
cucm::v15::security-guide::security-guide::81

For any CAPF certificates, it should include the following default X509 extensions: X509v3 Basic Constraints: CA:TRUE, pathlen:0 X509v3 Key Usage: Digital Signature, Certificate Sign In the CAPF certificates if these extensions are missing, there will be TLS connection failure. Note You can configure CAPF to operate in the following modes: Table 14: CAPF Running Modes Description Modes By default, the CAPF service on Unified Communications Manager issues CAPF service signed LSCs. Cisco Authority Proxy Function Use this option to have an external online CA signed LSC for phones. The CAPF service connects automatically to the external CA. When a Certificate Signing Request (CSR) is manually submitted, the CA signs and returns the CA-signed LSC automatically. Note Online CA does not support CAPF operations with ECDSA key sizes. Online CA Use this option if you want to use an offline external CA to sign LSC for phones. Manually download the LSC, submit them to the CA, and then upload the CA-signed certificates after they are ready. Note We recommend Online CA option instead of Offline CA when you want to use a third-party CA to sign LSC. Online CA is automated, quicker, and less likely to encounter problems. Offline CA Before you generate LSCs, make sure that you have the following: • Unified Communications Manager Release 12.5 or later. • Endpoints that use CAPF for certificates (includes Cisco Unified IP Phones and Jabber). • Microsoft Windows Server 2012 and 2016 with CA configured. • Domain Name Service (DNS). As a pre-requisite, also decide how you want to authenticate your phones. Upload CA root and HTTPS certificates before generating LSCs to the required trust stores. The Internet Information Services (IIS) hosts the HTTPS certificate. During a secure SIP connection, HTTPS certificate goes through the CAPF-trust and the CA root certificate goes through both the CAPF-trust and the Unified Communications Manager-trust. The CA root certificate is used to sign the Certificate Signing Requests (CSRs). Security Guide for Cisco Unified Communications Manager, Release 15 and SUs 72 Basic System Security Certificates Authority Proxy Function Overview