Cisco also provides a Multiplatform Phone Client Root Certificate to the service provider. This root certificate certifies
the authenticity of the client certificate that each phone carries. The Multiplatform Phones also support third-party signed
certificates such as those provided by Verisign, Cybertrust, and so on.
The unique client certificate that each device offers during an HTTPS session carries identifying information that is embedded
in its subject field. This information can be made available by the HTTPS server to a CGI script invoked to handle secure
requests. In particular, the certificate subject indicates the unit product name (OU element), MAC address (S element), and
serial number (L element).
The following example from the Cisco IP Phone 6841 Multiplatform Phones client certificate subject field shows these elements:
OU=CP-6841-3PCC, L=88012BA01234, S=000e08abcdef
To determine if a phone carries an individualized certificate, use the $CCERT provisioning macro variable. The variable value
expands to either Installed or Not Installed, according to the presence or absence of a unique client certificate. In the
case of a generic certificate, it is possible to obtain the serial number of the unit from the HTTP request header in the
User-Agent field.
HTTPS servers can be configured to request SSL certificates from connecting clients. If enabled, the server can use the Multiplatform
Phone Client Root Certificate that Cisco supplies to verify the client certificate. The server can then provide the certificate
information to a CGI for further processing.
The location for certificate storage may vary. For example, in an Apache installation, the file paths for storage of the provisioning
server-signed certificate, its associated private key, and the Multiplatform Phone CA client root certificate are as follows:
# Server Certificate:
SSLCertificateFile /etc/httpd/conf/provserver.crt
# Server Private Key:
SSLCertificateKeyFile /etc/httpd/conf/provserver.key
# Certificate Authority (CA):
SSLCACertificateFile /etc/httpd/conf/spacroot.crt
For specific information, refer to the documentation for an HTTPS server.
The Cisco Client Certificate Root Authority signs each unique certificate. The corresponding root certificate is made available
to service providers for client authentication purposes.