I'm trying to configure CTL and CAPF so I can use secure RTP in a CUCM7 system. The documentation is a little vague in areas so can anybody help woith the following queries:
1) Is there anyway I can avoid having to have 2 Cisco USB tokens to create the CTL file i.e. use third party certification?
2) If I use a Microsoft CA for the third party certificates, what template do I apply to the CSR request or does it not matter?
3) Which type of certificate do I import the certificate back into CUCM as, CAPF or CAPF-trust?
4) Do I need to import the root CA into CUCM somehow so it knows this is a trusted authority?
- No, you need at least two security tokens to sign the CTL. This is done on purpose in case you loose one as another poster found out a few months ago. If you loose both tokens, you must touch every phone manually to erase the CTL and LSC.
- I believe it needs to be the Subordinate Certificate Authority template. CAPF will generate certificates for the phones directly. It will not pass these signing requests back to the root CA.
- Yes, the root CA certificate must be imported into the CAPF-trust store before uploading the certificate from question three.