Certificates Authority Proxy Function Overview
The Certificate Authority Proxy Function (CAPF) issues Locally Significant Certificates (LSCs) and authenticates endpoints.
The CAPF service runs on Unified Communications Manager and performs the following tasks:
-
Issues LSCs to supported Cisco Unified IP Phones.
-
Authenticates phones while in mixed mode.
-
Upgrades existing LSCs for phones.
-
Retrieves phone certificates for viewing and troubleshooting.
CAPF Service Certificate
The CAPF service gets automatically installed with the Unified Communications Manager installation and a CAPF-specific system certificate gets generated.
Important |
The following note is applicable only from Release 14SU2 onwards. |
Note |
For any CAPF certificates, it should include the following default X509 extensions: X509v3 Basic Constraints: CA:TRUE, pathlen:0 X509v3 Key Usage: Digital Signature, Certificate Sign In the CAPF certificates if these extensions are missing, there will be TLS connection failure. |
You can configure CAPF to operate in the following modes:
Modes |
Description |
||
---|---|---|---|
Cisco Authority Proxy Function |
By default, the CAPF service on Unified Communications Manager issues CAPF service signed LSCs. |
||
Online CA |
Use this option to have an external online CA signed LSC for phones. The CAPF service connects automatically to the external CA. When a Certificate Signing Request (CSR) is manually submitted, the CA signs and returns the CA-signed LSC automatically.
|
||
Offline CA |
Use this option if you want to use an offline external CA to sign LSC for phones. Manually download the LSC, submit them to the CA, and then upload the CA-signed certificates after they are ready.
|
Before you generate LSCs, make sure that you have the following:
-
Unified Communications Manager Release 12.5 or later.
-
Endpoints that use CAPF for certificates (includes Cisco Unified IP Phones and Jabber).
-
Microsoft Windows Server 2012 and 2016 with CA configured.
-
Domain Name Service (DNS).
As a pre-requisite, also decide how you want to authenticate your phones.
Upload CA root and HTTPS certificates before generating LSCs to the required trust stores. The Internet Information Services (IIS) hosts the HTTPS certificate. During a secure SIP connection, HTTPS certificate goes through the CAPF-trust and the CA root certificate goes through both the CAPF-trust and the Unified Communications Manager-trust. The CA root certificate is used to sign the Certificate Signing Requests (CSRs).
Following are the scenarios to upload the various certificates:
Scenarios |
Actions |
---|---|
CA root and HTTPS certificates are same. |
Upload the CA root certificate. |
CA root and HTTPS certificates are different and the same CA root certificate issues the HTTPS certificates. |
Upload the CA root certificate. |
CA root certificate issues the intermediate CA and HTTPS certificates which are different. |
Upload the CA root certificate. |
The same CA root certificate issues CA root and HTTPS certificates which are different. |
Upload CA root and HTTPS certificate. |
Note |
We recommend using CAPF during a scheduled maintenance window as generating multiple certificates simultaneously may cause call-processing interruptions. |