THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Affected Product Name | Description | Comments |
---|---|---|
ATA191-3PW-K9 | 191 Analog Telephone Adapter for MPP | |
ATA192-3PW-K9 | 192 Analog Telephone Adapter for MPP with switch | |
CP-6821-3PCC-K9= | Cisco 6821 Phone for MPP Systems | |
CP-6841-3PCC-K9= | ^Cisco 6841 Phone for MPP Systems | |
CP-6851-3PCC-K9= | Cisco 6851 Phone for MPP, Grey | |
CP-6861-3PW-K9 | ^Cisco 6861 Phone with power adapter for MPP Systems | |
CP-6871-3PCC-K9= | Cisco 6871 Phone for MPP, Color | |
CP-7811-3PCC-K9= | Cisco IP Phone 7811 with Multiplatform Phone firmware | |
CP-7821-3PCC-K9= | Cisco IP Phone 7821 with Multiplatform Phone firmware | |
CP-7832-3PCC-K9= | Cisco 7832 Conference Phone for MPP | |
CP-7841-3PCC-K9= | Cisco IP Phone 7841 with Multiplatform Phone firmware | |
CP-7861-3PCC-K9= | Cisco IP Phone 7861 for 3rd Party Call Control | |
CP-8811-3PCC-K9= | Cisco IP Phone 8811 with Multiplatform Phone firmware | |
CP-8832-3PCC-K9= | Cisco 8832 for North America, charcoal, spare | |
CP-8841-3PCC-K9= | Cisco IP Phone 8841 with Multiplatform Phone firmware | |
CP-8845-3PCC-K9= | Cisco IP Phone 8845 with MPP Firmware | |
CP-8851-3PCC-K9= | Cisco IP Phone 8851 with Multiplatform Phone firmware | |
CP-8861-3PCC-K9= | Cisco IP Phone 8861 with Multiplatform Phone firmware | |
CP-8865-3PCC-K9= | Cisco IP Phone 8865 with MPP Firmware | |
CP-8875-K9= | Cisco Video Phone 8875, Carbon Black | |
DBS-110-3PC-NA-K9= | Cisco DECT Single-Cell B Stn 110 MPP NA DECT NA PSU | |
DBS-210-3PC-NA-K9= | Cisco IP DECT Base Station 210 Series, 3PCC, US and Canada | |
DP-9841-K9= | Cisco Desk Phone 9841, Carbon Black | |
DP-9851-K9= | Cisco Desk Phone 9851, Carbon Black | |
DP-9861-K9= | Cisco Desk Phone 9861, Carbon Black | |
DP-9871-K9= | Cisco Desk Phone 9871, Carbon Black | |
PAP2T-NA | ^Phone Adapter with 2 Ports for Voice-over-IP (North America) | |
RTP300-NA | ^Broadband Router with 2 Phone Ports | |
SPA112 | ^2 Port Phone Adapter | |
SPA122 | ^ATA with Router | |
SPA2002 | ^Phone Adapter ( 2 FXS ports) | |
SPA2100-S6 | ^Phone Adapter with 2 FXS and 2 Ethernet Ports (LAN + WAN) | |
SPA2102-NA | Single Port Router with 2 Phone Ports (North America) | |
SPA232D | ^Analog Telephone Adapter with DECT Base Station | |
SPA301-G1 | ^1 Line IP Phone | |
SPA302 EXP | SPA302 EXPAND | |
SPA302D-G1 | ^Mobility Enhanced Cordless Handset | |
SPA302DKIT-G1 | ^Multi-Line DECT Handset with Base Station | |
SPA303-G1 | ^3 Line IP Phone w/Display, PC Port & NA Power Adapter | |
SPA3102-NA | ^Single Port Router with 1 Phone Port and 1 FXO Port (NA) | |
SPA400-NA | ^Internet Telephony Gateway with 4 FXO Ports (North America) | |
SPA501G | ^8 Line IP Phone With PoE and PC Port | |
SPA502G | ^1 Line IP Phone With Display, PoE, PC Port | |
SPA504G | ^4 Line IP Phone With Display, PoE and PC Port | |
SPA508G | ^8 Line IP Phone With Display, PoE and PC Port | |
SPA509G | ^12 Line IP Phone With Display, PoE and PC Port | |
SPA512G | ^1 Line IP Phone with Display, PoE and Gigabit PC Port | |
SPA514G | ^4 Line IP Phone with Display, PoE and Gigabit PC Port | |
SPA514G-XU | ^4 Line IP Phone , PoE and Gigabit PC Port -Crypto disabled | |
SPA525G | ^5 Line IP Phone with Color Display, PoE, 802.11g | |
SPA525G2 | ^5-Line IP Phone with Color Display, PoE, 802.11g, Bluetooth | |
SPA8000-G1 | ^8-Port IP Telephony Gateway | |
SPA8800 | ^IP Telephony Gateway with 4 FXS and 4 FXO Ports | |
SPA9000-NA | ^IP Telephony System | |
SPA901-NA | 1-Line IP Telephone (North America) | |
SPA921-NA | 1-Line IP Telephone with 1-Port Ethernet, Display (NA) | |
SPA922-NA | ^1-Line IP Telephone with 2-Port Switch, PoE and Display | |
SPA932 | 32 Button Attendant Console for the SPA962 IP Phone | |
SPA941-NA | IP Phone | |
SPA942-NA | ^2- or 4-Line IP Telephone with 2-Port Ethernet Switch (NA) | |
SPA942P-NA | ^2- or 4-Line IP Telephone with 2-Port Ethernet Switch (EU) | |
SPA962-NA | 6-Line IP Telephone with 2-Port Switch, PoE and Display | |
SRP521W-K9-G1 | SRP521, FE WAN, 802.11n FCC, 2FXS/1FXO, US power | |
SRP526W-K9-G5 | SRP526, ADSL2+ AnnexB, 802.11n ETSI, 2FXS/1FXO, EU/UK power | |
SRP527W-K9-G1 | SRP527, ADSL2+ AnnexA, 802.11n FCC, 2FXS/1FXO, US power | |
SRP531W-CN-K9 | Cisco Service Ready Platform with WiFi | |
SRP532W-CN-K9 | Cisco Service Ready Platform with WiFi and advanced security | |
SRP541W-A-K9 | ^SRP541, GE WAN, 802.11n FCC, 4FXS/1FXO | |
SRP546W-E-K9 | ^SRP546, ADSL2+ AnnexB, 802.11n ETSI, 4FXS/1FXO | |
SRP547W-E-K9 | ^SRP547, ADSL2+ AnnexA, 802.11n ETSI, 4FXS/1FXO | |
WRP400-G1 | ^Wireless-G Broadband Router with 2 Phone Ports | |
WRP500-A-K9 | ^Wireless Router for NA; Pb-Free | |
WRTP54G-NA | ^Wireless-G IP Phone |
Defect ID | Headline |
CSCwi05418 | SPA504G, SPA303 : End of CSR Signing Support |
Cisco Customer Device Activation (CDA), formerly Cisco Enablement Data Orchestration System (EDOS), will end support of Certificate Signing Requests (CSRs) from the following root certificates:
Root Certificate | Support End Date |
---|---|
Cisco Linksys Provisioning Root Authority 1 | 2022 |
Sipura Technology Provisioning Root Authority 1 | Apr 7, 2024 |
Cisco Small Business Provisioning Root Authority 1 | Apr 7, 2024 |
Cisco Small Business Provisioning Root Authority 2 | Maximum validity until May 31, 2025. |
The end of support for CSRs affects all the variants of the Product IDs (PIDs) that are in the Products Affected list. The affected PID list does not list all variants.
Prior to this notice, service providers could create a CSR, upload it to the Cisco CDA portal, and get a signed certificate, which would be installed on the provisioning server. The phone could then validate the server certificate and trust the communication.
The following table lists product options that were previously available on the Cisco CDA web portal to sign CSRs. Currently, only the last option is available for self-service.
Product | Root Certificate | Availability |
---|---|---|
PAP2 WRTP RTP |
Cisco Linksys Provisioning Root Authority 1 | Not available. Support ended in 2022. |
PAP2T WRP400 SPA2xxx SPA3xxx SPA9xx SPA3xx SPA5xx |
Sipura Technology Provisioning Root Authority 1 | Not available. Support ended on Apr 7, 2024. |
SPA1xx SPA232D SPA3xx SPA5xx SRP5xx |
Cisco Small Business Provisioning Root Authority 1 | Not available. Support ended on Apr 7, 2024. |
SPA1xx Firmware Release 1.3.3 and later SPA232D Firmware Release 1.3.3 and later SPA5xx Firmware Release 7.5.6 and later CP-68xx-3PCC CP-78xx-3PCC/CP-88xx-3PCC/DP-98xx/ ATA19X/DBS-X10 |
Cisco Small Business Provisioning Root Authority 2 | Available until May 31, 2025, with maximum validity of issued certificate till May 31, 2025. |
After CSR signing support has ended, service providers will not be able to get Cisco signed server certificates through the CDA service to provision and operate their Cisco IP Phones and Analog Telephone Adapters (ATAs).
Solution
On devices for which CSR signing is still supported, renew the certificate one more time. Note the following:
Going forward, get the server certificate signed by a preferred certificate authority. To get ready for the transition, review the following information carefully to become familiar with options based on the type of devices that are deployed, and act now while there is still a working server certificate.
Multiplatform Phones (MPP) / ATAs
Linksys and SPA Phones and ATAs
These devices are already at the end of software support and are vulnerable due to a lack of security patches. The best course of action is to replace those devices with currently supported devices before the impact date:
As workaround for Linksys, SPA Phones, and ATAs, while implementing a device replacement plan and if the end-of-support device and its firmware support custom CA URL configuration, consider getting the server certificate signed by well-known certificate authority.
Install a Custom CA Root Certificate
Host the custom CA root cert on the server and install it by specifying the path to the custom CA cert using the Custom CA URL parameter for the phone or ATA configurations. Cisco recommends trying this first in a lab setup and then deploying in production.
Configuration examples:
Verify the custom CA installation status:
<Custom_CA_Status> <Custom_CA_Provisioning_Status>[06/16/2024 15:48:28][ http://your-file-server.test/root-cert.crt]Custom CA Download Succeeded. </Custom_CA_Provisioning_Status> <Custom_CA_Info>Installed - /C=US/O=Your-Telephony-Org/CN=Your-favorite-CA</Custom_CA_Info> </Custom_CA_Status>
Resources
The end of support for CSR affects all the variants of the PIDs listed in the Products Affected list. The affected PID list does not list all variants.
Check the server certificate and device software release and compare it against the following table to determine CSR signing support end:
Device | End of CSR Signing Support |
---|---|
PAP2T SPA1xx SPA232D SPA2xxx SPA3xx SPA3xxx SPA4xx SPA5xx SPA8xxx SPA9xx SPA9xxx SRP5xx WRP400 WRP500 |
CSR signing support ended on April 7, 2024, if the server certificate is issued from either Sipura Technology Provisioning Root Authority or Cisco Small Business Provisioning Root Authority 1. |
SPA1xx Firmware Release 1.3.3 and later SPA232D Firmware Release 1.3.3 and later SPA5xx Firmware Release 7.5.6 and later CP-68xx-3PCC CP-78xx-3PCC/CP-88xx-3PCC/DP-98xx/ ATA19X/DBS-X10 |
Support ends on May 31, 2025, if the server certificate is issued from Cisco Small Business Provisioning Root Authority 2. |
Version | Description | Section | Date |
1.1 | Added PIDs and corresponding information throughout the field notice. | All | 2024-AUG-09 |
1.0 | Initial Release | — | 2024-JAN-11 |
For further assistance or for more information about this field notice, contact the Cisco Technical Assistance Center (TAC) using one of the following methods:
To receive email updates about Field Notices (reliability and safety issues), Security Advisories (network security issues), and end-of-life announcements for specific Cisco products, set up a profile in My Notifications.
Unleash the Power of TAC's Virtual Assistance