How to Download Certificates from Cisco IP Phones

Available Languages

Download Options

  • PDF     (209.5 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (283.7 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (215.4 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:August 8, 2019
Document ID:214638

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes the procedure in order to retrieve certificates from a Cisco IP Phone when Cisco Authority Proxy Function (CAPF) service runs in Cisco Unified Communications Manager (CUCM) publisher.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • SSL Certificates in phone
    • CUCM administration
    • Command Line Interface (CLI) management in CUCM

    Components Used

    The information in this document is based on these software and hardware versions:

    • Cisco Unified Communications Manager (CUCM) version 11.5.1.11900-26
    • Cisco IP Phone 8811 -  sip88xx.12-5-1SR1-4

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Background Information

    CAPF service must be active in CUCM publisher and CAPF certificate under Cisco Unified OS Adminsitration must be up-to-date.

    For Cisco IP Phones, there are two alternatives of certificates installed on them:

    • MIC (Manufacturer Installed Certificate)
    • MIC and LSC (Locally Significant Certificate)

    Phones are pre-installed with the MIC certificate and it cannot be deleted neither regenerated. Also, MIC cannot be used once the validity is expired. MICs are 2048-bit key certificates that are signed by the Cisco Certificate Authority.

    The LSC possesses the public key for the Cisco IP phone, which is signed by the CUCM CAPF private key. It is not installed on the phone by default and this certificate is required for the phone in order to operate in secure mode

    Configure

    Step 1. In CUCM, navigate to Cisco Unified CM Administration > Device > Phone.

    Step 2. Find and select the phone which certificates you want to retrieve from.

    Step 3. In the phone configuration page, navigate to Certification Authority Proxy Function (CAPF) Information section.

    Step 4. As shown in the image, apply these parameters:

    Certificate Operation: Troubleshoot

    Authentication Mode: By Null String

    Key Size (Bits): 1024

    Operation Completes By: Date in the future

    Step 5. Click on Save and Reset the phone.

    Step 6. Once that device is registered back in CUCM cluster, ensure in phone configuration page that troubleshoot operation has completed as shown in the image:

    Step 7. Open an SSH session for the CUCM Publisher server and run the command to list the certificates associated to the phone as shown in the image:

    file list activelog /cm/trace/capf/sdi/SEP<MAC_Address>*

    There are two options for the files to be listed:

    Only MIC: SEP<MAC_Address>-M1.cer

    MIC and LSC:SEP<MAC_Address>-M1.cer and SEP<MAC_Address>-L1.cer

    Step 8. In order to download the certificates, run this command: file get activelog /cm/trace/capf/sdi/SEP<MAC_Address>*

    An Secure File Transfer Protocol (SFTP) server is required to save the file as shown in the image

    Related Information

    • IP Phone certificates
    TAC Authored

    Contributed by Cisco Engineers

    • Alejandra Garcia Arzaluz
      Cisco TAC

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco