Secure SRST

1     Introduction

This report explains and gives the steps to be done to activate secure SRST, on tis report I use the router as Certificate authority (CA) , if you use their part CA , there will be a slight difference ,some steps has to be done manually

This report is based on the following reference:

2     Pre-Request

  • You must activate security mixed mode on the callmanager
  • You must deactivate the SRST on the router by typing( no call-manager-fallback)
  • You must activate the http server on the Cisco Router by typing (ip http server) , this will allow the enrolment with the CA server

Note: The call manager has two modes, non secure mode and mixed mode, when using mixed mode both IP phone (secure profile and non secure profile can register with the CUCM)

Note: To use mixed mode you must buy the security tokens and use the CTL client to upload the certificate

3     Procedure

3.1    Create the certificate Authority (CA)

Router(config)# crypto pki server srstcaserver

Router(cs-server)# database level complete

Router(cs-server)# database url nvram

Router(cs-server)# issuer-name CN=srstcaserver

Router(cs-server)# grant auto

% This will cause all certificate requests to be automatically granted.

Are you sure you want to do this? [yes/no]: y

Router(cs-server)# no shutdown

% Once you start the server, you can no longer change some of

% the configuration.

Are you sure you want to do this? [yes/no]: y

% Generating 1024 bit RSA keys …[OK]

% Certificate Server enabled.

Note: The    grant auto command is used to allow the automatic acceptance of enrolment to the CA server

3.2    Enrolment to the CA server

3.2.1   Configure the parameters of the certificate

Router(config)#crypto pki trustpoint srstca

Router(ca-trustpoint)# enrollment url http://X.X.X.X

Router(ca-trustpoint)# revocation-check none

Router(ca-trustpoint)# exit

The X.X.X.X is the IP address of the SRST Router, with the configuration above, you say, my certificate name is srstca , it will enroll with the server x.x.x.x , it will be valid for ever

3.2.2   authentication of the certificate

Router(config)# crypto pki authenticate srstca

Certificate has the following attributes:

Fingerprint MD5: 4C894B7D 71DBA53F 50C65FD7 75DDBFCA

Fingerprint SHA1: 5C3B6B9E EFA40927 9DF6A826 58DA618A BF39F291

% Do you accept this certificate? [yes/no]: y

Trustpoint CA certificate accepted.

3.2.3   Enrollement of the certificate

Router(config)# crypto pki enroll srstca


% Start certificate enrollment ..

% Create a challenge password. You will need to verbally provide this

password to the CA Administrator in order to revoke your certificate.

For security reasons your password will not be saved in the configuration.

Please make a note of it.


Re-enter password:

% The fully-qualified domain name in the certificate will be:

% The subject name in the certificate will be:

% Include the router serial number in the subject name? [yes/no]: y

% The serial number in the certificate will be: D0B9E79C

% Include an IP address in the subject name? [no]: n

Request certificate from CA? [yes/no]: y

% Certificate request sent to Certificate Authority

% The certificate request fingerprint will be displayed.

% The ‘show crypto pki certificate’ command will also show the fingerprint.

3.2.4   Deactivate the Auto enrollment

crypto pki server srstcaserver


no grant auto

no shutdown

Note: For security reason deactivate auto enrollment on the CA server

3.3    Enabling Credentials Service

The credential service allow automatic exchange of the certificate between the SRST router and the CUCM


ip source-address  x.x.x.x  port 2445

trustpoint srstca


In this step you says , the certificate to exchange automatically with the CUCM  is  srstca , and it will be done through the port 2445 and the given interface x.x.x.x

Note: The x.x.x.x is the IP address of the SRST router

3.4    Importing CUCM certificates

3.4.1   download CUCM certificates

From Cisco Unified Communications Operating System Administration, under certificate management menue download all certificates in PEM listed under CAPF-trust, including :





CAPF, and


Also download any CAPF-xxx certificates that are listed under CallManager-trust only

Note: Not all of the above certificate are needed for recent callmanager >5.x  , importing all of them will ensure the validation of this procedure

Note: the needed certificate for CUCM 8.5 is Cisco_Root_CA_2048.pem ,  Cisco_Manufacturing_CA.pem,  CAP-RTP-001.pem , CAPF.pem


Hint: How to decide which certificate to import

The last version of CUCM when  writing this procedure was 8.6 , you may want to refer to last procedure from cisco to verify if there is any modification .

The name of the certification may change in future version, here is a way I could verify the needed certifications. Open the certification file in a text editor program (Notepad++) And verify the end of the certificate , it must match the one indicated by Cisco Guide

Ex :

In the Cisco guide it says execute the following command crypto pki trustpoint CiscoCA

CiscoCA is the name of the trust point or the certificate, you will never find this name on the callmanager Certificate managemanet page (>5.X)

When comparing the certificate in the Cisco guide













You will notice that it ends with 2Q== the only certificate on the call manager that ends with 2Q== is CAP-RTP-001.pem certificate

I have also noticed that CAPF-82c946c6.pem and CAPF.pem is in fact the same certificate

Below is the name of each certificate file name found on the CUCM 8.6 and the only needed certificate to be imported.


CAP-RTP-001.pem= CiscoCA

Cisco_Manufacturing_CA.pem= CiscoManufactureCA

Cisco_Root_CA_2048.pem= CiscoRootCA2048

3.4.2   Import CUCM certificate to the SRST Router


Router(config)# crypto pki trustpoint CAPF

Router(ca-trustpoint)# revocation-check none

Router(ca-trustpoint)# enrollment terminal

Router(ca-trustpoint)# exit

Router(config)# crypto pki authenticate CAPF

Now open the CAPF.pem with a text editor and copy and paste all the text inside ,then hit enter until you get the below prompt :

Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.

% Certificate successfully imported

Repeat the same steps to the rest of the certificates:


Router(config)# crypto pki trustpoint CiscoCA

Router(ca-trustpoint)# revocation-check none

Router(ca-trustpoint)# enrollment terminal

Router(ca-trustpoint)# exit

Router(config)# crypto pki authenticate CiscoCA


Router(config)# crypto pki trustpoint CiscoManufactureCA

Router(ca-trustpoint)# revocation-check none

Router(ca-trustpoint)# enrollment terminal

Router(ca-trustpoint)# exit

Router(config)# crypto pki authenticate CiscoManufactureCA


Router(config)# crypto pki trustpoint CiscoRootCA2048

Router(ca-trustpoint)# revocation-check none

Router(ca-trustpoint)# enrollment terminal

Router(ca-trustpoint)# exit

Router(config)# crypto pki authenticate CiscoRootCA2048

3.5   Activate secure SRST on the CUCM

Go to SRST part and check secure SRST, then click on the update button

This entry was posted in CallManager, LAB, SRST and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s