Configuring Secure SRST for SCCP and SIP
How to Configure Secure Unified SRST
193
Cisco Unified SCCP and SIP SRST System Administrator Guide
OL-13143-04
Enabling Credentials Service on the Secure Cisco Unified SRST Router
Once the Cisco Unified SRST Router has its own certificate, you need to provide Cisco
Unified Communications Manager the certificate. Enabling credentials service allows Cisco
Unified Communications Manager to retrieve the secure SRST device certificate and place it in the
configuration file of the Cisco Unified IP Phone.
Activate credentials service on all Cisco Unified SRST Routers.
Note
A security best practice is to protect the credentials service port using Control Plane Policing. Control
Plane Policing protects the gateway and maintains packet forwarding and protocol states despite a heavy
traffic load. For more information on control planes, see the
Control Plane Policing
documentation. In
addition, a sample configuration is given in the
“Control Plane Policing: Example” section on page 220
.
9D8FC222 EE8AC831 71ACD3A7 4E918A8F D5775159
76FBF499 5AD0849D CAA41417
DD866902 21E5DD03 C37D4B28 0FAB0203 010001A3
63306130 0F060355 1D130101
FF040530 030101FF 300E0603 551D0F01 01FF0404
03020186 301D0603 551D0E04
160414F8 29CE97AD 6018D054 67FC2939 63C24706
91F9BD30 1F060355 1D230418
30168014 F829CE97 AD6018D0 5467FC29 3963C247
0691F9BD 300D0609 2A864886
F70D0101 04050003 8181007A F71B25F9 73D74552
25DFD03A D8D1338F 6792C805
47A81019 795B5AAE 035400BB F859DABF 21892B5B
E71A8283 08950414 8633A8B2
C98565A6 C09CA641 88661402 ACC424FD 36F23360
ABFF4C55 BB23C66A C80A3A57
5EE85FF8 C1B1A540 E818CE6D 58131726 BB060974
4E1A2F4B E6195522 122457F3
DEDBAAD7 3780136E B112A6
quit
Step 2
show crypto pki server
Example:
Router# show crypto pki server
Certificate Server srstcaserver:
Status: enabled
Server's configuration is locked (enter "shut" to
unlock it)
Issuer name: CN=srstcaserver
CA cert fingerprint: AC9919F5 CAFE0560 92B3478A
CFF5EC00
Granting mode is: auto
Last certificate issued serial number: 0x2
CA certificate expiration timer: 13:46:57 PST Dec 1
2007
CRL NextUpdate timer: 14:54:57 PST Jan 19 2005
Current storage dir: nvram
Database Level: Complete - all issued certs written
as <serialnum>.cer
Use the
show crypto pki server
command to verify
the status of the CA server after a boot procedure.
Command or Action
Purpose