Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Client Certificates for Cisco Phones

Hello Guys,


i have a question regarding certificates on cisco wired and wireless phones. I´m comming from the security/wireless side of cisco but i need an information about cisco call manager.


We want to switch our network to eap-tls. We have a couple of cisco wired phones and some wireless phones.

For security we need client certificates on that phones. I have red something about an tool which is called "Certificate Authority Proxy Function".

Is there any Funktionality on cucm or any tool to provide client certificates via scep on those phones automatically ?


We have an miscosoft pki with scep server so we need any scep client functionality on the cucm/phone side.



Thanks a lot


Kind regards


Everyone's tags (2)

Hi Philip, There is a feature

Hi Philip,


There is a feature where you put a cluster in mixed mode and push down certificates from CUCM side. This is something that needs to be done in the lab before its tried in production. If you are running CUCM version 9.x or older, you will need a USB token to enable this feature. In version 10, you can substitute it for MS CA:


Please rate useful posts.

The CUCM cluster doesn't need

The CUCM cluster doesn't need to run mixed mode in order to push down certificates via CAPF.  Assuming you're running newer model phones and CUCM 8.x+, the phones will be able to trust CAPF for certificate installation due to the ITL.  I install LSCs on non-secure clusters all the time.


Most of the phones also have a manufacturer installed certificate (MIC) that you can use as long as you can just the Cisco Manufacturing CA.  That might be easier than pushing down certificates to the phones and having to manage them when they expire every 5 years.

CreatePlease to create content