Cisco SPA series phones and ATAs can use certificate-authenticated HTTPS (SSL) sessions to ensure secure provisioning. For a provisioning server to be acceptable to the SPA phone or ATA, the server must present a certificate signed by Cisco's Certificate Authority (CA).
Over the years, we have added certificate authorities (CA) as needed and for administrative reasons.
An HTTPS server used for device provisioning must use a certificate signed by the appropriate CA for the device.
To obtain this certificate, you must submit a certificate signing request (CSR) by following the CSR instructions.
When submitting the CSR, you must list the device types that you want to provision so we know what certificates to generate for you.
Following is a list to help you identify the appropriate CA associated with your device:
- Linksys CA:
- Sipura CA:
- SPA2xxx (SPA2000 and SPA2102)
- SPA3xxx (SPA3000 and SPA3102
- SPA9xx (SPA901, SPA921, SPA922, SPA941, SPA942, SPA962)
- SPA5xx (SPA501G, SPA502G, SPA504G, SPA508G, SPA509G, SPA525G, SPA525G2)
- Cisco Small Business (SB) CA:
- SPA1xx (SPA112 and SPA122)
- SPA3xx (SPA301 and SPA303)
- SPA51x (SPA512 and SPA514)
- SRP5xx (SRP521 and SRP541)
An HTTPS server can only present a single certificate per IP address:port
To securely provision devices associated with multiple CAs, you will need to implement multiple HTTPS services. You can use any one or a combination of the following options:
- Deploy multiple computers with one network interface card (NIC) per computer, each performing the role of a CA
- Deploy a single computer with multiple NICs where each NIC has a unique IP address where each IP address performs the role of a unique CA
- Deploy a single computer with a single NIC where unique ports are used and each unique port is associated with a unique CA
<end of original document>
<Start of note from Dan Lukes>
Informations in such documents seems to be either obsolete or invalid from scratch. Most devices accept more than one CA, so multiple HTTPS server as suggested by document may be overkill in some cases. But I will leave original ocument above, because I can't test all types and firmware versions.
See table bellow for real cross-compatibility list. It is based on real test of mentioned devices.
|Device \ CA||Linksys CA||Sipura CA||Cisco SB CA||Verisign|
/C=US/ST=California/L=Irvine/O=Cisco Linksys, LLC./OU=Cisco Linksys Certificate Authority
/CN=Cisco Linksys Provisioning Root Authority 1/emailAddressfirstname.lastname@example.org
/C=US/ST=California/L=San Jose/O=Sipura Technology, Inc./OU=Sipura Technology Certificate Authority
/CN=Sipura Technology Provisioning Root Authority 1/emailAddressemail@example.com
/C=US/ST=California/L=San Jose/O=Cisco Small Business/OU=Cisco Small Business Certificate Authority
/CN=Cisco Small Business Provisioning Root Authority 1/emailAddressfirstname.lastname@example.org
Verisign CA (based on informations in SPA5xx IP Phone 7.x Firmware Update Information):
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
/CN=VeriSign Class 3 Secure Server CA
Note: according Verisign (now Symantec) tech support, VeriSign Class 3 Secure Server CA based certificates are no longer issued. Class 3 Public Primary Certification Authority rooted certificates are sold under product name "Secure Site" and "Secure Site Pro".