Certificate Authority Proxy Function (CAPF) Overview
The Cisco Certificate Authority Proxy Function (CAPF) is a Cisco proprietary service that issues Locally Significant Certificates (LSCs) and authenticates Cisco endpoints. The CAPF service runs on Unified Communications Manager and performs the following tasks:
-
Issues LSCs to supported Cisco Unified IP Phones.
-
Authenticates phones when mixed mode is enabled.
-
Upgrades existing LSCs for phones.
-
Retrieves phone certificates for viewing and troubleshooting.
CAPF Running Modes
You can configure CAPF to operate in the following modes:
-
Cisco Authority Proxy Function—The CAPF service on Unified Communications Manager issues LSCs that are signed by CAPF service itself. This is the default mode.
-
Online CA—Use this option to have an external online CA signed LSC for phones. The CAPF service connects automatically to the external CA. When a Certificate Signing Request (CSR) is manually submitted, the CA signs and returns the CA-signed LSC automatically.
-
Offline CA—Use this option if you want to use an offline external CA to sign LSC for phones. This option requires you to manually download the LSC, submit them to the CA, and then upload the CA-signed certificates after they are ready.
Note
Cisco recommends that if you want to use a third-party CA to sign LSC, use the Online CA option instead of Offline CA as the process is automated, much quicker, and less likely to encounter problems.
CAPF Service Certificate
When Unified Communications Manager is installed, CAPF service is installed automatically and a CAPF-specific system certificate is generated. When security is applied, Cisco CTL Client copies the certificate to all cluster nodes.
Phone Certificate Types
Cisco uses the following X.509v3 certificate types for phones:
-
Locally Significant Certificates (LSC)—A certificate that installs on supported phones after you perform the necessary configuration tasks that are associated with the Cisco Certificate Authority Proxy Function (CAPF). The LSC secures the connection between Unified Communications Manager and the phone after you configure the device security mode for authentication or encryption.
Note
For Online CA, the LSC validity is based on the CA and can be used as long as the CA allows it.
-
Manufacture Installed Certificates (MIC)—Cisco Manufacturing installs MICs automatically in supported phone models. Manufacturer-installed certificates authenticate to Cisco Certificate Authority Proxy Function (CAPF) for LSC installation. You cannot overwrite or delete manufacture-installed certificate.
Note |
Cisco recommends that you use Manufacturer Installed Certificates (MICs) for LSC installation only. Cisco supports LSCs to authenticate the TLS connection with Unified Communications Manager. Since MIC root certificates can be compromised, customers who configure phones to use MICs for TLS authentication or for any other purpose do so at their own risk. Cisco assumes no liability if MICs are compromised. |
LSC Generation via CAPF
After you configure CAPF, add the configured authentication string on the phone. The keys and certificate exchange occurs between the phone and CAPF and the following occurs:
-
The phone authenticates itself to CAPF using the configured authentication method.
-
The phone generates its public-private key pair.
-
The phone forwards its public key to CAPF in a signed message.
-
The private key remains in the phone and never gets exposed externally.
-
CAPF signs the phone certificate and sends the certificate to the phone in a signed message.
Note |
Be aware that the phone user can abort the certificate operation or view the operation status on the phone. |
Note |
Key generation set at low priority allows the phone to function while the action occurs. Although the phone functions during certification generation, additional TLS traffic may cause minimal call-processing interruptions with the phone. For example, audio glitches may occur when the certificate is written to flash at the end of the installation |