/mcpStep 9 Restart Cisco Certificate Authority Proxy Function for the changes to take effect. It automatically restarts the Cisco Certificate Enrollment service. Current Online CA limitations • The Online CA feature does not work if the CA server uses any other language apart from English. The CA server should respond only in English. • The Online CA feature does not support mTLS authentication with CA. • While using Online CA for LSC operation, if LSC certificate is not provided with 'Digital signature' and 'key encipherment' key usage Device secure registration will fail. Configure Offline Certificate Authority Settings Follow this high-level process if you decide to generate phone LSC certificates using an Offline CA. The offline CA option is more time-consuming than online CAs, involving numerous manual steps. Restart the process if there are any issues (for example, a network outage or phone reset) during the certificate generation and transmission process. Note Procedure Step 1 Download the root certificate chain from the third-party certificate authority. Step 2 Upload the root certificate chain to the required trusts (CallManager trust CAPF trust) in Unified Communications Manager. Step 3 Configure Unified Communications Manager to use Offline CAs by setting the Certificate Issue to Endpoint service parameter to Offline CA. Step 4 Generate CSRs for your phone LSCs. Step 5 Send the CSRs to the certificate authority. Step 6 Obtain the signed certificates from the CSR. For more detailed example on how to generate phone LSCs using an Offline CA, see CUCM Third-Party CA-Signed LSCs Generation and Import Configuration. Activate or Restart CAPF Services Activate the essential CAPF services after you configure the CAPF system settings. Restart if the CAPF service is already activated. Security Guide for Cisco Unified Communications Manager, Release 15 and SUs 77 Basic System Security Configure Offline Certificate Authority Settings