CAPF/CTL on IP Phones

Unanswered Question
Aug 17th, 2009
User Badges:

Hi Guys,

Can you use the CAPF/CTL features to provision and update digital certificates on 7921/7925 phones?

Has anyone every used it for such purpose?

Many thx indeed,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
migilles Mon, 08/17/2009 - 12:31
User Badges:
  • Cisco Employee,

Yes 7921/7925 supports CTL and can push a LSC to the phone via CAPF.

The 7921/7925 phones also come with a MIC as well.

See the 7921/7925 Deployment Guide for more info.

kfarrington Tue, 08/18/2009 - 01:08
User Badges:

Hi mate,

This is excellent news.

Can I just ask as the deployment guide has excellent info and the CUCM security guide has some but not a great deal?

The initiall install of certs will always have to be via USB so the phone can auth onto the WLAN. Correct?

Can the CAPF function renew certs before they expire?

Many thx indeed,


migilles Tue, 08/18/2009 - 11:50
User Badges:
  • Cisco Employee,

Thanks for the compliments on the DG.

Yes for certificates to be used for WLAN authentication with PEAP or EAP-TLS, they must be installed via the phone webpage, which can be done via USB or over the air.

CAPF is not used for WLAN certificates currently.

kfarrington Wed, 08/19/2009 - 04:17
User Badges:

Hi Michael, Can I just confirm the last statement.

Yes we will load the certs via USB etc etc on the phone, and then they will connect to the WLAN.

After that, CAPF can be used to renew certs on the wireless IP phones, correct?

Sorry if I am mis-understanding mate :)



migilles Wed, 08/19/2009 - 09:12
User Badges:
  • Cisco Employee,

No can not renew WLAN certs via CAPF.

CAPF certs (LSC) are for media, signaling and tftp encryption.

Currently WLAN cert management is manual, so if planning to use EAP-TLS with user certs signed by your CA then want to ensure you set an adequate validity period.

You can also use the MIC in the phone for WLAN authentication.

That info is in the deployment guide.


This Discussion