In-House Preprovisioning and Provisioning Servers
Provisioning Server Setup
Provisioning Guide for Cisco SPA100 and SPA200 Series Analog Telephone Adapters 43
3
This command generates the server private key in privkey.pem and a
corresponding certificate signing request in provserver.csr. The service provider
keeps the privkey.pem secret and submits provserver.csr to Cisco for signing.
Upon receiving the provserver.csr file Cisco generates provserver.crt, the signed
server certificate.
Cisco also provides a Sipura CA Client Root Certificate to the service provider.
This root certificate certifies the authenticity of the client certificate carried by
each ATA.
The unique client certificate offered by each device during an HTTPS session
carries identifying information embedded in its subject field. This information can
be made available by the HTTPS server to a CGI script invoked to handle secure
requests. In particular, the certificate subject indicates the unit product name (OU
element), MAC address (S element), and serial number (L element). The following
example from a SPA962 client certificate subject field shows these elements:
OU=SPA-962, L=88012BA01234, S=000e08abcdef
Units manufactured before firmware 2.0.x do not contain individual SSL client
certificates. When these units are upgraded to a firmware release in the 2.0.x tree,
they become capable of connecting to a secure server using HTTPS, but are only
able to supply a generic client certificate if requested to do so by the server. This
generic certificate contains the following information in the identifying fields:
OU=cisco.com, L=ciscogeneric, S=ciscogeneric
To determine if an ATA carries an individualized certificate, use the $CCERT
provisioning macro variable. The variable value expands to either Installed or Not
Installed, according to the presence or absence of a unique client certificate. In the
case of a generic certificate, it is possible to obtain the serial number of the unit
from the HTTP request header in the User-Agent field.
HTTPS servers can be configured to request SSL certificates from connecting
clients. If enabled, the server can verify the client certificate by using the Sipura
CA Client Root Certificate supplied by Cisco. It can then provide the certificate
information to a CGI for further processing.
The location for storing certificates might vary. For example, on an Apache
installation the file paths for storing the provisioning server–signed certificate, its
associated private key, and the Sipura CA client root certificate are as follows:
# Server Certificate:
SSLCertificateFile /etc/httpd/conf/provserver.crt
# Server Private Key:
SSLCertificateKeyFile /etc/httpd/conf/provserver.key
To Next Page
Loading...
Need help?
General
