IP Phone Security and CTL (Certificate Trust List)


Thu, 09/15/2016 - 07:54
Oct 4th, 2011
User Badges:
  • Silver, 250 points or more


The purpose of this document is to act as a supplement to the official Communications Manager Security Guide by providing examples, explanation, and diagrams for Phone Security using Certificate Trust Lists.

Phone Security and CTL Overview

Phone Security with CTL provides the following functions:

  1. Authentication of TFTP downloaded files (configuration, locale, ringlist, etc) using a signing key.
  2. Encryption of TFTP configuration files using a signing key.
  3. Encrypted call signaling for IP Phones.
  4. Encrypted call audio (media) for IP Phones.

Note that the first two functions can also be provided by Security By Default using ITL. The second functions of encrypted signaling and media can only be provided by using CTL files. Refer to the Security By Default document for more information on Authenticated and Encrypted configuration files.



1. Obtain USB eTokens

At least two USB eTokens are required for turning on Phone Security. These tokens are the key to signing the CTL file, and must not be lost. Multiple tokens can be used in a CTL file for redundancy since they are so important. They should be stored in secure, separate locations with their current passwords also stored safely.

In case a single token is lost or destroyed, the other tokens used at the initial signing of the CTL file can be used instead.

A token will self destruct after 15 failed password attempts, so remembering the token password and having backup tokens is extremely important.


2. Activate CTL Provider and CAPF Services

CTL Provider accepts connections from the CTL Client to generate the CTL File and collect certificates from all nodes. The CAPF (Certificate Authority Proxy Function) service is responsible for signing and storing LSCs (Locally Significant Certificates) from phones.


3. Download and Install the CTL Client

Starting in CUCM 8.6 Windows 7 is finally supported with the CTL Client. Make sure to download the correct CTL Client for the OS in use on the client PC.


4. Run the CTL Client using eTokens


The CTL Client will present the following options for a brand new install:


Set Cisco Unified CallManager Cluster to Mixed Mode:

This turns off auto registration and creates a CTL file.

Set Cisco Unified CallManager Cluster to Non-Secure Mode:

This allows auto registration to be enabled and leaves any existing CTL file in place. This is the default mode so cannot be selected unless the cluster is already in Mixed Mode.

Update CTL File:

This allows any new certificates or servers to be added to the CTL file.

Choosing any one of these options will require a USB eToken to be inserted in the client PC:


Once inserted, information about the token is displayed:


At this point the CTL Client performs connections to all CUCM servers in the cluster on TCP port 2444 to retrieve existing CallManager and CAPF certificates. This requires proper name resolution if using host names under "CCMAdministration > System > Server".

The list of all servers and certificates is displayed, along with all tokes in the existing CTL file.


If only one eToken is displayed, the "Add Tokens" option must be used to add another token before the cluster can be set to Mixed Mode.

Once Finish is selected, the CTL Client will ask for the private key password of the USB eToken. This allows the eToken to be used to sign the newly created CTL file, which contains all of the certs and tokens displayed above.

Note here that the password has been incorrectly entered once. The eToken software warns that only 14 more attempts are allowed before the token is permanently locked (destroyed). A successful password entry resets this counter back to 15.


If the correct password is entered, the CTL Client unlocks the private key from the eToken and uses it to sign the CTL File. This newly signed CTL File then gets written to every server on the cluster using another connection to the CTL Provider on TCP 2444. Again this requires network connectivity and name resolution from the CTL Client PC to each server in the cluster.


5. Restart Required Servers

The recommended procedure is to restart all TFTP servers, followed by all servers running the CallManager process. Restarting the TFTP servers allows the TFTP process to load in the newly generated CTLFile.tlv. Restarting the nodes running CallManager causes the phones to reset and download the new CTL file from the configured TFTP server.

admin:utils system restart

Do you really want to restart ?

Enter (yes/no)?

6. Install LSCs on Phones

After the CAPF service is activated and the phones obtain the CAPF certificate by downloading the CTL File, phones can connect to CAPF to obtain LSC files.

Set the phone CAPF Certificate Operation to Install Upgrade using Device > Phone, or Bulk Administration Tool > Phones > Update Phones > Query.



After setting the Certificate Operation, reset the phones.

If Null Sting or Existing Certificate have been chosen as the authentication mode no further action will be required.

If a string was chosen for the Authentication Mode then this will need to be entered manually into the phone console.

Settings > Security Configuration > **# > LSC > Update



7. Create and Apply Phone Security Profiles

Now that all of the underlying pieces are in place, phones can have security enabled via the Phone Security Profile. These profiles are specific to the model of phone being configured. A profile will need to be created for each model of phone in use.

CCMAdministration > System > Security > Phone Security Profile


Device Security Mode controls the primary phone security settings with the following options:

Non Secure - unencrypted signaling and unencrypted media (voice / RTP / Real Time Protocol)

Authenticated - encrypted signaling and unencrypted media

Encrypted - encrypted signaling and encrypted media

The separate checkbox for TFTP Encrypted Config controls whether or not the CUCM server sends an encrypted TFTP configuration file to the phone. The encryption of the TFTP file is independent of the Device Security Mode settings, but an encrypted config file is recommended on phones that support it.

The Security Profile needs to be applied at the Device level, so the Bulk Administration Tool is the most appropriate method to apply this profile to a larger number of phones.


Adding Phone Security to a CM cluster brings an additional layer that must be considered when planning and performing administrative tasks. Items such a certificates and certificate expiration dates should be taken into consideration. Certain administrative operations like changing host names may require regenerating certificates and CTL files.

The troubleshooting section here supplements the official Troubleshooting Guide and will provide steps to identify the current state of a cluster and recommend any corrective action necessary.

Verification and Repair Checklist

1. Verify all certificates on all servers.

Collect serial numbers, Common Names, and expiration dates of current CAPF.pem and CallManager.pem certificates on all servers. The certificates loaded onto the CM servers are extremely important. Any mismatch in certificates on the servers could cause phone LSC download failures, configuration file authentication failures, or phone registration failures.

Here is the CAPF.pem certificate. Note the easily identifiable random string in the Common Name. This comes in handy as a quick verification tool. The CAPF.pem is used to sign LSCs (Locally Significant Certificates) and for the SSL handshake between the phone and the CAPF process.


This CAPF.pem expires in 2016, and was generated on April 5, 2011. These pieces of information tell us what dates to watch for in the future as well as what operations happened in the past.

This becomes more obvious when the CallManager.pem certificate is shown. Note that the CallManager.pem certificate also expires in 2016, but was generated on August 23rd, 2011. Some certificate regeneration operation must have been performed on the cluster on Aug 23rd. Remember that this certificate is used in the SSL handshake between phones and the CallManager, as well as by the TFTP process to sign files.


2. Verify CTL contents match current certificates.

After checking the certificate contents, the next item to view is the CTL file on all TFTP servers. The OS Administration SSH CLI provides a simple command called "show ctl". The header of the CTL file contains the date the CTL file was last generated, the CN (Common Name) of the USB eToken used to sign the CTL, and the eToken serial number.

Note that the CTL was generated AFTER the CallManager.pem certificate generation date above. This is good because the CTL file should contain the latest version of the CallManager.pem. If the CTL file had a date that was BEFORE the CallManager.pem or CAPF.pem file generation dates, the CTL Client would need to be run again to get the latest certificates.

admin:show ctl

Length of CTL file: 4712

The CTL File was last modified on Wed Aug 31 13:28:03 EDT 2011

Parse CTL File


Version: 1.2

HeaderLength: 304 (BYTES)


------- --- ------ -----

3 SIGNERID 2 117

4 SIGNERNAME 56 cn="SAST-ADN4e31f914 ";ou=IPCBU;o="Cisco Systems

5 SERIALNUMBER 10 BD:A3:02:00:00:00:D8:88:64:1F

6 CANAME 42 cn=Cisco Manufacturing CA;o=Cisco Systems

The first entry inside the CTL is the full certificate of the eToken. This eToken with a serial number of "ADN4e31f914" was the eToken used to sign the CTL file. The serial number is printed on the token packaging and on the token itself, so the serial number in the Subject CN (Common Name) can be helpful to match the tokens used during signing.

CTL Record #:1



------- --- ------ -----



3 SUBJECTNAME 56 cn="SAST-ADN4e31f914 ";ou=IPCBU;o="Cisco Systems

4 FUNCTION 2 System Administrator Security Token

5 ISSUERNAME 42 cn=Cisco Manufacturing CA;o=Cisco Systems

6 SERIALNUMBER 10 BD:A3:02:00:00:00:D8:88:64:1F


9 CERTIFICATE 894 67 EB 23 F8 F5 16 55 A9 8E C8 CB 8A 4F 9E A2 0A AB 45 B6 E6 (SHA1 Hash HEX)


This etoken was used to sign the CTL file.

Multiple tokens can also be included inside the CTL file. At least 2 eTokens must be present in a CTL file. One token will be used for signing, and the other token is simply present as a backup trust point. The phone will trust any CTL file signed by other of these two tokens.

This output shows that the following eToken wasn't used to sign the CTL file, it's just the backup eToken. To update the CTL file at least one of the tokens inside the current CTL file must be found.

CTL Record #:2



------- --- ------ -----



3 SUBJECTNAME 56 cn="SAST-ADN5bbd7b14 ";ou=IPCBU;o="Cisco Systems

4 FUNCTION 2 System Administrator Security Token

5 ISSUERNAME 42 cn=Cisco Manufacturing CA;o=Cisco Systems

6 SERIALNUMBER 10 AA:C9:20:00:00:00:78:C4:2E:22


9 CERTIFICATE 895 A4 A3 8D 11 57 5A B8 E2 60 6E AF 4A 54 0A 20 B8 CA 0B D3 40 (SHA1 Hash HEX)


This etoken was not used to sign the CTL file.

The next record after the eTokens is the CallManager.pem certificate (denoted by function CCM+TFTP). This certificate is used by CM to sign configuration files and establish SSL connections between phones and the CM server if a Secure Profile is used on the phone.

Note that the serial number here matches the serial number in the CallManager.pem in the OS Admin page above. If this serial number differed between the two places, the CTL Client would need to be run to bring the CTL file in sync with what CM is actually using for a certificate.

CTL Record #:3



------- --- ------ -----



3 SUBJECTNAME 63 CN=CUCM8-Publisher.bbbburns.lab;OU=AS;O=Cisco;L=RTP;ST=NC;C=US


5 ISSUERNAME 63 CN=CUCM8-Publisher.bbbburns.lab;OU=AS;O=Cisco;L=RTP;ST=NC;C=US



9 CERTIFICATE 738 00 7A DE F4 25 26 7A FC 5E 02 B4 D2 BB A4 14 42 2B A5 A0 9C (SHA1 Hash HEX)


The final entry in the CTL file is the CAPF certificate. The serial number here also must match the OS Admin CAPF.pem, so phones are allowed to connect to the CAPF service. If there is a mismatch the same step of re-running the CTL Client must be performed.

CTL Record #:4



------- --- ------ -----



3 SUBJECTNAME 61 CN=CAPF-9c4cba7d;OU=TAC;O=Cisco;L=RTP;ST=North Carolina;C=US


5 ISSUERNAME 61 CN=CAPF-9c4cba7d;OU=TAC;O=Cisco;L=RTP;ST=North Carolina;C=US

6 SERIALNUMBER 8 0A:DC:6E:77:42:91:4A:53


9 CERTIFICATE 674 C7 3D EA 77 94 5E 06 14 D2 90 B1 A1 43 7B 69 84 1D 2D 85 2E (SHA1 Hash HEX)


The CTL file was verified successfully.

At the completion of this step, the CTL file will be in sync with the certificates loaded onto the CM servers.

3. Verify CM serves TFTP CTL file

The next item to check in the troubleshooting process is whether or not the CM server is providing a CTL file via TFTP. A quick way is to take a packet capture at the IP Phone or the CM TFTP server. Here the phone requests the CTL file as the first file it downloads at boot.


The phone requested a CTL file, and if the filter on the previous capture is removed the transfer of that file can be viewed in detail.

Another method to verify the CTL file is downloaded is to look at the Phone Console logs under the web page of the phone. This requires the setting "Web Access" under "CCMAdmin > Device > Phone > Product Specific Configuration" to be "Enabled".


Here the console logs show the CTL file was downloaded:

837: NOT 09:13:17.561856 SECD: tlRequestFile: Request CTLSEP0011215A1AE3.tlv 846: NOT 09:13:17.670439 TFTP: [27]:Requesting CTLSEP0011215A1AE3.tlv from 847: NOT 09:13:17.685264 TFTP: [27]:Finished --> rcvd 4762 bytes

In addition to packet captures and phone console logs, the TFTP traces also show TFTP file transfers. Here is a shortcut to view the current TFTP trace in real time as a phone resets.

admin:file tail activelog cm/trace/ctftp/sdi recent

11:08:20.766 |TFTPEngine::isReadRequest[0x9950830~188~], [CTLSEP0011215A1AE3.tlv] opcode(1), Mode(octet), Serving Count(0)

11:08:20.779 |TID[a5a4fba0] TFTPEngine::processMessage[0x9950830~188~], Transferred[CTLFile.tlv] Socket[5]

4. Verify phone properly validates and accepts the CTL file.

After verifying the CUCM server is presenting a valid CTL file, the next step is for the phone to validate that CTL file.

Phone console logs also show that the CTL file signature (the eToken signer) was trusted:

877: NOT 09:13:17.925249 SECD: validate_file_envelope: File sign verify SUCCESS; header length <296>

Status Messages displayed on the phone can also be helpful to verify a CTL file was downloaded successfully.

Either in the Status Messages web page of a phone, or under the phone itself "Settings > Status > Status Messages", the following line means a CTL file (or ITL file) has been successfully downloaded and verified:

16:01:16 Trust List Updated

If the phone could not validate the new CTL file the error message would be

Trust List Update Failed
Trust List Verification Failed

If the phone fails to validate the CTL file, that means the phone's existing Certificate Trust List does not have the same eTokens inside of it that the newly downloaded CTL was signed with, or that the newly downloaded CTL was corrupt.

A corrupt CTL can be checked with "show ctl", looking for the output "The CTL File was verified successfully", or the error condition "Verification of the CTL File Failed". Generally a corrupt CTL file can be repaired by running the CTL Client.

If the phone's old CTL file contains only eTokens that are no longer available, the CTL File will need to be deleted from the phone manually.

At this point the dilemma is "Did the phone download the latest CTL File?". The Status Messages and Phone Console logs can be used for verification, but other methods also exist.

The simplest method for verifying if a number of phones have the correct file is to compare the file sizes of the CTL file on the phone with the file size on the TFTP server.

First, create an SSH username and password for the IP Phone under CCMAdministration and enable SSH on the phone. Reset the phone.

Next SSH to the phone with the configured username and password. When prompted for the second login use "default / user". This example discusses 7961 and similar model phones. Use the following debug guide for 89XX and 99XX model phones.

From the phone

$ ls -l /tmp/*.tlv

-rw-r--r-- 1 default usr 4712 Oct 04 19:15 /tmp/CTLFile.tlv

-rw-r--r-- 1 default usr 3899 Oct 04 19:15 /tmp/ITLFile.tlv

From the TFTP Server

admin:file list tftp *.tlv detail

31 Aug,2011 13:28:03 4,712 CTLFile.tlv

16 Sep,2011 11:15:45 3,899 ITLFile.tlv

That method is a close approximation based on the size of the file. For an exact comparison of the contents, first look at the IP Phone to view the md5sum of the current CTL and ITL files

Settings > Security Settings > Trust List


In 8.6(2) and later versions of Communications Manager this hash should be visible on the server with "show ctl" and "show itl". Prior to 8.6(2), use TFTP and md5sum to verify the hash of this file as it exists on the server. This example checks the hash of the ITL file. Just replace ITL with CTL and the example will work for both files.

[email protected] /data/trace/jasburns/certs/SBD $ tftp tftp> get ITLSEP0011215A1AE3.tlv 
Received 5438 bytes in 0.0 seconds
tftp> quit

[email protected] /data/trace/jasburns/certs/SBD $ md5sum ITLSEP0011215A1AE3.tlv
b61910bb01d8d3a1c1b36526cc9f2ddc ITLSEP0011215A1AE3.tlv

5. Verify CTL contents on phone

A shortcut to verifying that the CTL file on the phone matches exactly byte for byte with the file on the server is just to quickly look at the phone's Trust List.

Settings > Security Settings > Trust List > CTL File


The name of the CM / TFTP server does match with the name of this server's CallManager.pem file.

The CAPF-<random string> also matches the CAPF.pem certificate that is currently in use.

6. Verify SSL connection between phone and CAPF service if using LSCs

Now that the phone has a CAPF (Certificate Authority Proxy Function) certificate via the CTL, the phone can connect to CAPF to download a certificate.

A packet capture on the CM server can be used to verify the CAPF SSL handshake completed. Here the filter captures all traffic from the IP of the phone. Then the file is uploaded to another server using SFTP and the "file get" command.

admin::utils network capture host ip size ALL count 10000 file CAPF-Install

admin:file get activelog platform/cli/CAPF-Install.cap

The packet capture shows the SSL handshake that happens on the CAPF port, TCP 3804. To view this exchange, right click on any packet in the TCP port 3804 stream and go to "Decode As".

Here the certificate presented by the CAPF server matches the certificate in the CTL, and the certificate the phone displayed earlier. This SSL handshake succeeded because it started sending "Application Data", which would be the CAPF exchange.


Subsequently, the phone has an LSC installed:


If that process had failed despite the SSL handshake success, the next spot to examine would be the CAPF traces. If the SSL handshake failed, it would be time to check the CAPF certificate and update the CTL file again with the CTL Client.


The CAPF traces show that the phone connects, generates a key (which takes some time as seen by the gap in traces), then the CAPF server generates a certificate for the phone.

10:03:06.983 | debug 3:UNKNOWN:Got a new ph conn on 15

10:03:08.060 | debug TLS HS Done for ph_conn .

10:03:08.065 | debug MsgType : CAPF_MSG_AUTH_REQ

10:03:08.341 | debug MsgType : CAPF_MSG_REQ_IN_PROGRESS

10:03:08.341 | debug 3:SEP0011215A1AE3:CAPF CORE: Rcvd Event: CAPF_EV_REQUEST_IN_PROGRESS in State: CAPF_STATE_AWAIT_KEY_GEN_RES

10:03:21.148 | debug 3:SEP0011215A1AE3:Incoming Phone Msg:

10:03:21.158 | debug MsgType : CAPF_MSG_KEY_GEN_RES

10:03:21.162 | debug Generated the cert

10:03:21.724 | debug 3:SEP0011215A1AE3:Certificate upgrade successful

7. Verify SSL connection between phone and CM server for registration

Now that the phone has a CTL and LSC, the next step is secure phone registration. For SCCP phones this happens on TCP Port 2443.

Use the same steps as before to capture all packets from this specific phone.

The first thing that's different is the phone downloading SEP<MAC Address>.cnf.xml.enc.sgn. This signifies and encrypted TFTP configuration file as set under the Device Security Profile.

Here the phone connects on TCP port 2443, so this port must be Decoded As SSL in Wireshark. The CUCM presents the CallManager.pem certificate (verifiable by serial number and common name) and then asks for the certificate of the phone. As before the SSL handshake completed successfully since the Application Data phase is reached.


In addition to the packet capture, phone registration via Secure SCCP is also visible in the Cisco CallManager SDI traces:

10:38:26.621 |SdlSSLTCPListener::verify_cb pre-verified=1,cert verification errno=0,depth=0

10:38:26.626 |New connection accepted. DeviceName=, TCPPid = [], IPAddr=, Port=51948,

10:38:29.051 |StationD: (0000048) ClusterSecurityMode = (1) DeviceSecurityMode = (3)

10:38:29.051 |StationD: (0000048) TLS Connection Cipher - INFO:deviceName=SEP0011215A1AE3, Cipher=AES128-SHA, Security Mode=3

8. Verify Encrypted Calls

Calls that have both encrypted signaling and encrypted media will show the lock icon in the lower right corner of the call window. This corresponds to Device Security Mode: Encrypted.


Calls that use encrypted signaling between both ends, but that do not use encrypted media will show the shield icon. This corresponds to Device Security Mode: Authenticated.


The security status of the least secure party is used to determine which icon is displayed and what call security is used. Take a look at the following table for examples:

Phone A
Phone BIcon Displayed
EncryptedEncryptedLock - Encrypted Audio
EncryptedAuthenticatedShield - Unencrypted Audio
EncryptedNoneNone - Unencrypted Audio


Jason Burns Tue, 07/17/2012 - 11:43
User Badges:
  • Silver, 250 points or more

Verifying that the voice packets are SRST is a little more difficult.  The encrypted RTP packets will have the same payload type as the  unencrypted RTP packets, but they won't decode properly when you try to  play them back. They'll just be static. You can check the signaling to  ensure that SCCP or SIP or H.323 or MGCP negotiated SRTP, and then when  looking at the packet capture make sure that the RTP (SRTP after  encryption) is unable to be played back in any audio tools.

For instance, G.711 RTP packets will have 7F7F7F7F7F7F in the RTP payload whenever silence is on the line. When you turn on SRTP and have silence you will see random encrypted data instead of the repeating 7F pattern.

Another giveaway is that the RTP payload will be slightly larger when SRTP is in use. For example G.711u @ 20msec packetization has a payload size of 160bytes per packet. Looking at G.711ulaw in an RTP packet capture will show 160 bytes payload. In an SRTP stream the payload will show 164 bytes for each packet.

wilsonsant Thu, 09/15/2016 - 06:19
User Badges:
  • " /> Participante em Destaque,

    Prêmio"Escolha dos membros": novembro de 2014

Hi Jason and Guys,

I would like know if this procedure is apply for CUCM 10.x. If not be, what is the recommended?



pkinane Thu, 09/15/2016 - 07:04
User Badges:

Hello Wilson,

Please clarify what you mean by "this procedure". Do you mean validating of media is SRTP versus RTP? If this is what you mean, the only way to be truly sure is via a pcap.

If you mean how to get the cluster in mixed mode, there is a new way since version 10.0.1. The old way with USB tokens is still an option as well.



wilsonsant Thu, 09/15/2016 - 07:54
User Badges:
  • " /> Participante em Destaque,

    Prêmio"Escolha dos membros": novembro de 2014

Hi Patrick,

My question was about cluster in mixed mode.

Thanks a lot by explanation and by link.



Canisio Barth Junior Sat, 06/22/2013 - 07:50
User Badges:

I am trying establish a vpn connection (vpn phone) with mic certificate authentication but I have the follow error "cannot establish a vpn due invalid certificate". When I choose user/password authentication it's works fine.

I updated all the certificates to ASA ( Cisco_manufacturing_CA, Callmanager, CAPF,Ca-RTP-001,CA-RTP-002) my cluster is mixed-mode. The phone does not have LSC installed.

In the ASA, the commands: debug crypto ca messages; debug crypto ca 255 has the follow answers:

CRYPTO_PKI: looking for cert in handle=c69d1d70, digest=

90 e0 fc b0 81 1c b7 2c fd a0 02 07 f6 73 2c 80    |  .......,.....s,.

CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND

CRYPTO_PKI: looking for cert in handle=c69d1d70, digest=

a9 11 6f c1 d4 d7 21 22 92 19 e9 3a 1e 9b 8e c5    |  ..o...!"...:....

Please anyone can help me?

Canisio Barth Junior Sat, 06/22/2013 - 08:12
User Badges:

If a generate a new ctlfile with the same tokens that generated the ctl file that is installed in the phones, will be necessary delete manually the old ctl or the phones when boot will upload the new ctl file? My cluster is in mixed-mode and i have phoens 7940, 7975 and 9971.

Jason Burns Mon, 06/24/2013 - 14:50
User Badges:
  • Silver, 250 points or more


The 7975 and 9971 will work without any problem.

The 7940 will need to have the CTL deleted OR you will need to update their CTL file to add in the new address of the TFTP server in the old cluster's CTL file.

This is because the older 7940 and 7960 phones have a strict requirement where they ONLY trust TFTP servers if the address of the server is inside the CTL file. Newer model phones got rid of this requirement and will trust a TFTP server at any address as long as the certificate signature matches.

Canisio Barth Junior Mon, 06/24/2013 - 17:17
User Badges:


a) I have two Callmanager  (publisher and subscriber) and they are configured mixed-mode. I checked that the CAPF.pem in the subscriber was issued after the CTL file ( the publisher was before), maybe someone regenerate the CAPF.pem in the subscriber and does not rerun the CTL Client. The question is: If I regenerate CAPF in the publisher and  the rerun the CTLClient, the new CAPF certificate will be installed in the publisher and subscriber ? This certificate should be identical int the both servers?

b) Due the CAPF.pem in the publisher and subscriber are different, the CAPF can not works fine? I tried install LSC but it is not working, in the 9971 phones status messages show "No valid CAPF server" .

c) Your last answer about 7940, so if i just regenerate CAPF and rerun ctl client (not change TFTP adrress) will not be necessary delete manually the ctl file?

d) I also checked that the itl file does not has a entry for CAPF. It could  impact the CAPF functionality?

Kind Regards


fgasimzade Mon, 06/24/2013 - 04:40
User Badges:

Hello everyone!

I get this error for some IP phones, which suddenly started to unregister

ERR 04:27:43.534321 SECD: EROR:clpSndStatus: ** SEC-ERR: code:5(SSL_ALERT) subcode:45(EXPIRED_CERT)

ERR 04:27:43.534514 SECD: EROR:clpSndStatus: ** SEC-ERR: desc <certificate expired>

Which certificate is that since all my certificates on the Call Manager are OK except one which expired in 2012

Nicolas MICHEL Tue, 12/03/2013 - 07:55
User Badges:

Hi Jason and thanks for your document, it is really interesting

I am also reading the Secure Cisco IP Telephony book from Cisco press and something has picked my interest.

  • Extension Mobility is disabled on protected phones (SRTP)
  • Shared line configuration is not available on Protected Phones

Can you please confirm this please ?

Thanks a lot


Akhil Behl Sun, 12/15/2013 - 07:45
User Badges:
  • Bronze, 100 points or more
  • Events Top Contributors,

    Cisco, 2014

Hi Nicolas,

Appreciate your comment here. Please have a look at CUCM security guide

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/8_5_1/secugd/sec-851-cm/sectone.html#wp1088343 and as it mentions, with secure tone certain features are impacted and the ones you mentioned are disabled when using protected tone.

Feel free to ask any other queries you may have.


Akhil Behl

Marcin Nowacki Thu, 12/12/2013 - 22:05
User Badges:

Hi , our customer lost his USB tokens bought few years ago. Is it possible to turn off security ( default ) in CUCM without tokens or he will be prompted for them during this process ?

Akhil Behl Sun, 12/15/2013 - 07:46
User Badges:
  • Bronze, 100 points or more
  • Events Top Contributors,

    Cisco, 2014

Hi Marcin,

Yes, you'll need the security tokens to return from a mixed-mode to a non-secure mode. For any change including inclusion of a new server, deletion of a server, or change of secure to non-secure or vice-versa requires the use of eTokens.

Please read chapter 9 and Appendix A of Securing Cisco IP Telephony Networks for more insight to CUCM security specifcs as well as details on UC Security for all UC applications.


Akhil Behl

David Schwarzhans Wed, 03/26/2014 - 06:32
User Badges:


I'm new to the securing part of CUCM and have a (maybe dumb) question. Is it possible to use one token pair for multiple installations of CUCM cluster? For example taking the token to test everything in the lab and after success taking the very same token to deploy it in a live system.


jsteinberg Thu, 01/15/2015 - 05:49
User Badges:

Hello Jason,

Any plans to update this article with the new UCM 10.0 'utils ctl' commands to generate CTLs without the USB Security Tokens ?

Hina Jabeen Wed, 10/28/2015 - 07:41
User Badges:


A very good document indeed. Can you plesae confirm the process is same for 10.5?

Sergey Solomin Wed, 11/18/2015 - 17:01
User Badges:


Thank you for the document. I have following question related to the topic.

With CUCM 10.5 and 802.1x integration using third-party signed certificates I have to activate CAPF.

If I understand correctly even if I don't want to encrypt media I will have to add CTL to phones in order to have the above, correct?

Do I understand correctly that if I use CLI command

utils ctl set-cluster non-secure-mode

I will create the CTL file but no media encryption will be enabled?

Thank you


pkinane Wed, 11/25/2015 - 04:31
User Badges:


This command moves a mixed mode cluster  to non-secure.

Please read this.

Sergey Solomin Wed, 11/25/2015 - 15:15
User Badges:

Thanks, I've seen the document.

Let me re-phrase my question: Is it correct that in order to have CUCM 10.5 and 802.1x integration using third-party signed certificates (through CAPF) CTL deployment is not needed (ITL is sufficient)?

Thank you and best regards,


christos.georgiadis Thu, 11/26/2015 - 02:22
User Badges:


Correct me if I am wrong. You want to push the LSC certificate to the phone (through CAPF) but you do not want to create the CTL file.

If that is the case then it is not possible. The CTL file contains the certs that the phone will trust and one of them is the CAPF. It needs to download the ctl file (to get the capf cert) and then to connect to CAPF (using the capf cert from the ctl) in order to get the LSC cert

At least that is my understanding



Sergey Solomin Thu, 11/26/2015 - 15:53
User Badges:

Hi Christos,

actually ITL has CAPF certificate.

"The final function included in the ITL file is CAPF (Certificate Authority Proxy Function). This certificate allows the phones to establish a secure connection to the CAPF service on the CM server so the phone can install or update an LSC (Locally Significant Certificate). " from here:


another good document BTW and looks like one more coming ...


christos.georgiadis Fri, 11/27/2015 - 01:17
User Badges:

Indeed! Thanks for the info Sergey. Then in theory I do not see why you would need to have the ctl file if you only need to connect to the CAPF to generate an LSC

The CTL is typically used for encryption and media

But in practice  you will need to set the cluster security mode to mixed and as soon as you do that the ctl file will be created and pushed to the phones.

That's what I think but it is just a mental exercise for me :) I have never done it



pkinane Mon, 11/30/2015 - 04:31
User Badges:

I didn't reply because I, like you, saw no reason why you couldn't use the ITL file to get an LSC installed. Every document I reviewed says you need to have the CTL on a phone to authenticate using the CAPF entry. This made no sense to me because there is a CAPF entry in the ITL; furthermore, even if there was no CAPF entry in the ITL (which there is) the phone should be able to rely on the TVS servers to validate the CAPF.

I tested in the lab and I've been successful with installing an LSC on a 9951, but both 7975 phones stay in operation pending status (there may be some other underlying cause with the 7975s that I can troubleshoot when I get in the office as both 7975 phones show TL update failed and the 9951 shows success).

admin:show ctl
Length of CTL file: 0
CTL File not found. Please run CTLClient plugin to generate the CTL file.
Error parsing the CTL File.

admin:show itl
Length of ITL file: 4521
The ITL File was last modified on Fri Nov 27 08:02:11 EST 2015

        Parse ITL File

----- OUTPUT REMOVED -----

        ITL Record #:1
------- ---             ------  -----
1       RECORDLENGTH    2       441
2       DNSNAME         2
3       SUBJECTNAME     54      CN=CAPF-9537322d;OU=cucm tac;O=cisco;L=rtp;ST=nc;C=US
4       FUNCTION        2       CAPF
5       ISSUERNAME      54      CN=CAPF-9537322d;OU=cucm tac;O=cisco;L=rtp;ST=nc;C=US
6       SERIALNUMBER    8       24:BA:66:17:F3:91:07:6B
7       PUBLICKEY       140
8       SIGNATURE       128
11      CERTHASH        20      92 92 32 4B D6 49 42 DC 2D 68 1F 51 2A B1 D0 03 8C 5C CE B0
12      HASH ALGORITHM  1       SHA-1

----- OUTPUT REMOVED -----

The ITL file was verified successfully.

admin:show version active
Active Master Version:
Active Version Installed Software Options:
No Installed Software Options Found.

pkinane Mon, 11/30/2015 - 04:57
User Badges:

After resolving the ITL issue I had on the 7975s I was able to install the LSC without the cluster being in mixed-mode, and without the phone having a CTLFile.

Something worth noting is that you will not be able to do secure signalling or media without being in mixed-mode. I've not tested 802.1x after installing an LSC using only the ITLFile; however, I don't see any reason why 802.1x with certificate authentication won't work with this kind of setup as the LSC is still signed by CAPF.

Cisco Guardian Tue, 12/22/2015 - 20:57
User Badges:

"The next record after the eTokens is the CallManager.pem certificate (denoted by function CCM+TFTP). This certificate is used by CM to sign configuration files and establish SSL connections between phones and the CM server if a Secure Profile is used on the phone." This is the statement you mentioned on section 2.

I have a clarification on this. When the user uses secure corporate directory or Secure EM login,  the callmanager.pem certificate will be used in the SSL connection between the phone and CUCM and not the tomcat certificate ?


pkinane Thu, 02/04/2016 - 09:24
User Badges:

The callmanager.pem certificate will be used to sign files the phone will request. Extension Mobility is a service not a file.

I think the part that caused confusion is this: "establish SSL connections between phones and the CM server if a Secure Profile is used on the phone." I believe the topic here is signalling.

The tomcat certificate will be used when you are doing secure EM. The CTL file will have nothing to do with verifying the tomcat certificate as it doesn't have the entries for doing so. Instead it will be the ITL file (specifically the TVS entry in the ITL file) that verifies the tomcat cert.

Cisco Guardian Wed, 12/23/2015 - 15:24
User Badges:

Thanks pkinane... It makes sense.

Also, I guess when the user use secure corporate directory the phones will be presented with the tomcat certificate during the ssl connection process and phone will use the ITL file's TVS servers to verify this tomcat certificate. Am I correct ?

I understand that the Callmanager.pem certificate is responsible for the signing the TFTP configuration files, is there any other files does this certificate sign ?

Thanks Again..


This Document

Related Content