CAPF/CTL on IP Phones

Unanswered Question
Aug 17th, 2009

Hi Guys,

Can you use the CAPF/CTL features to provision and update digital certificates on 7921/7925 phones?

Has anyone every used it for such purpose?

Many thx indeed,


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
kfarrington Tue, 08/18/2009 - 01:08

Hi mate,

This is excellent news.

Can I just ask as the deployment guide has excellent info and the CUCM security guide has some but not a great deal?

The initiall install of certs will always have to be via USB so the phone can auth onto the WLAN. Correct?

Can the CAPF function renew certs before they expire?

Many thx indeed,


migilles Tue, 08/18/2009 - 11:50

Thanks for the compliments on the DG.

Yes for certificates to be used for WLAN authentication with PEAP or EAP-TLS, they must be installed via the phone webpage, which can be done via USB or over the air.

CAPF is not used for WLAN certificates currently.

kfarrington Wed, 08/19/2009 - 04:17

Hi Michael, Can I just confirm the last statement.

Yes we will load the certs via USB etc etc on the phone, and then they will connect to the WLAN.

After that, CAPF can be used to renew certs on the wireless IP phones, correct?

Sorry if I am mis-understanding mate :)



migilles Wed, 08/19/2009 - 09:12

No can not renew WLAN certs via CAPF.

CAPF certs (LSC) are for media, signaling and tftp encryption.

Currently WLAN cert management is manual, so if planning to use EAP-TLS with user certs signed by your CA then want to ensure you set an adequate validity period.

You can also use the MIC in the phone for WLAN authentication.

That info is in the deployment guide.


This Discussion