SPA Certificate Authority (CA) List

Document

Apr 2, 2012 3:00 PM
Apr 2nd, 2012

Cisco SPA series phones and ATAs can use certificate-authenticated HTTPS (SSL) sessions to ensure secure provisioning. For a provisioning server to be acceptable to the SPA phone or ATA, the server must present a certificate signed by Cisco's Certificate Authority (CA).

Over the years, we have added certificate authorities (CA) as needed and for administrative reasons.

An HTTPS server used for device provisioning must use a certificate signed by the appropriate CA for the device.

To obtain this certificate, you must submit a certificate signing request (CSR) by following the CSR instructions.

When submitting the CSR, you must list the device types that you want to provision so we know what certificates to generate for you.

Following is a list to help you identify the appropriate CA associated with your device:

  • Linksys CA:
    • PAP2
    • WRTP
    • RTP
  • Sipura CA:
    • PAP2T
    • WRP400
    • SPA2xxx (SPA2000 and SPA2102)
    • SPA3xxx (SPA3000 and SPA3102
    • SPA9xx (SPA901, SPA921, SPA922, SPA941, SPA942, SPA962)
    • SPA5xx (SPA501G, SPA502G, SPA504G, SPA508G, SPA509G, SPA525G, SPA525G2)
  • Cisco Small Business (SB) CA:
        • SPA1xx (SPA112 and SPA122)
        • SPA3xx (SPA301 and SPA303)
        • SPA51x (SPA512 and SPA514)
        • SRP5xx (SRP521 and SRP541)

      Note:

      An HTTPS server can only present a single certificate per IP address:port

      To securely provision devices associated with multiple CAs, you will need to implement multiple HTTPS services. You can use any one or a combination of the following options:

      • Deploy multiple computers with one network interface card (NIC) per computer, each performing the role of a CA

      Example:

      • Deploy a single computer with multiple NICs where each NIC has a unique IP address where each IP address performs the role of a unique CA

      Example:

      • Deploy a single computer with a single NIC where unique ports are used and each unique port is associated with a unique CA


      <end of original document>


      <Start of note from >

      Informations in such documents seems to be either obsolete or invalid from  scratch. Most devices accept more than one CA, so multiple HTTPS  server as suggested by document may be overkill in some cases. But I will leave original ocument above, because I can't test all types and firmware versions.

      See table bellow for real cross-compatibility list. It is based on real test of mentioned devices.

      Device \ CALinksys CA
      Sipura CA
      Cisco SB CA
      Verisign
      PAP2T, 5.1.6(LS)OKOKNONO
      SPA112, 1.3.1(003)OKOKOKNO
      SPA232D, 1.3.1(003_240)OKOKOKNO
      SPA-962, 6.1.5(a)OKOKNO?
      SPA508G, 7.5.4OKOKOKNO
      SPA525G2, 7.5.4OKOKOK?

      Note:

      Linksys CA:

      /C=US/ST=California/L=Irvine/O=Cisco Linksys, LLC./OU=Cisco Linksys Certificate Authority

      /CN=Cisco Linksys Provisioning Root Authority 1/emailAddress=linksys-certadmin@cisco.com

      Serial: D0:7D:8A:7B:AD:BA:7C:B6:44:69:98:B1:EA:89:87:9F

      Sipura CA:

      /C=US/ST=California/L=San Jose/O=Sipura Technology, Inc./OU=Sipura Technology Certificate Authority

      /CN=Sipura Technology Provisioning Root Authority 1/emailAddress=webmaster@sipura.com

      Serial: 45:BF:48:C0:CE:B8:8F:7B:C8:E1:6D:85:62:5A:5B:8F

      CiscoSB CA:

      /C=US/ST=California/L=San Jose/O=Cisco Small Business/OU=Cisco Small Business Certificate Authority

      /CN=Cisco Small Business Provisioning Root Authority 1/emailAddress=ciscosb-certadmin@cisco.com

      Serial: D0:7D:8C:15:C0:BA:7C:B6:44:69:98:B1:EA:89:87:9F

      Verisign CA (based on informations in SPA5xx IP Phone 7.x Firmware Update Information):

      /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority

      Serial: 70:BA:E4:1D:10:D9:29:34:B6:38:CA:7B:03:CC:BA:BF

      or

      /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)05

      /CN=VeriSign Class 3 Secure Server CA

      Serial: 75:33:7D:9A:B0:E1:23:3B:AE:2D:7D:E4:46:91:62:D4

      Note: according Verisign (now Symantec) tech support, VeriSign Class 3 Secure Server CA based certificates are no longer issued. Class 3 Public Primary Certification Authority rooted certificates are sold under product name "Secure Site" and "Secure Site Pro".

      Average Rating: 4 (1 ratings)

      Comments

      Dan Lukes Sat, 02/09/2013 - 09:16

      I see no SPA232D in document at all, althougth it seems the document apply to it as well.

      Actions

      Login or Register to take actions

      This Document

      Posted April 2, 2012 at 3:00 PM
      Stats:
      Comments:1 Avg. Rating:4
      Views:2414 Contributors:1
      Shares:0

      Related Content

      Documents Leaderboard