.. _certificate-authority-functions-fields:
Certificate Authority Functions Fields
---------------------------------------
This table provides details on the available fields
for Certificate Authority Functions when configuring phones -
see :ref:`configure_phones`.
.. tabularcolumns:: |p{4cm}|p{11cm}|
+-----------------+----------------------------------------+
| Title | Description |
+=================+========================================+
| | From the drop-down list box, |
| | choose one of the following |
| | options: |
| | |
| | No Pending Operation: Displays when no |
| | certificate operation is |
| | occurring (default setting). |
| | |
| | Install/Upgrade: Installs a new |
| | or upgrades an existing locally |
| | significant certificate in the phone. |
| | |
| | Delete: Deletes the |
| | locally significant certificate |
| | that exists in the phone. |
| | |
| | Troubleshoot: Retrieves the |
| | locally significant certificate |
| Certificate | (LSC) or the manufacture |
| Operation * | installed certificate (MIC), so |
| | you can view the certificate |
| | credentials in the CAPF trace |
| | file. If both certificate types |
| | exist in the phone, Cisco Unified |
| | CM creates two trace files, one |
| | for each certificate type. By |
| | choosing the Troubleshooting |
| | option, you can verify that an |
| | LSC or MIC exists in the phone. |
| | For more information on CAPF |
| | operations, see the Cisco Unified |
| | Communications Manager Security |
| | Guide. |
| | |
| | Default: No Pending |
| | Operation |
+-----------------+----------------------------------------+
| | This field allows you to choose |
| | the authentication method that |
| | the phone uses during the CAPF |
| | certificate operation. From the |
| | drop-down list box, choose one of |
| | the following options: |
| | |
| | By Authentication |
| | String: Installs/upgrades, |
| | deletes, or troubleshoots a |
| | locally significant certificate |
| | only when the user enters the |
| | CAPF authentication string on the |
| | phone. |
| | |
| | By Null String: |
| | Installs/upgrades, deletes, or |
| | troubleshoots a locally |
| | significant certificate without |
| | user intervention. This option |
| | provides no security; Cisco |
| | strongly recommends that you |
| | choose this option only for |
| | closed, secure environments. |
| | |
| | By Existing Certificate (Precedence |
| | to LSC): Installs/upgrades, |
| | deletes, or troubleshoots a |
| | locally significant certificate |
| | if a manufacture-installed |
| | certificate (MIC) or locally |
| | significant certificate (LSC) |
| | exists in the phone. If a LSC |
| | exists in the phone, |
| | authentication occurs via the |
| | LSC, regardless whether a MIC |
| | exists in the phone. If a MIC and |
| | LSC exist in the phone, |
| | authentication occurs via the |
| | LSC. If a LSC does not exist in |
| | the phone, but a MIC does exist, |
| | authentication occurs via the |
| Authentication | MIC. Before you choose this |
| Mode | option, verify that a certificate |
| | exists in the phone. If you |
| | choose this option and no |
| | certificate exists in the phone, |
| | the operation fails. At any time, |
| | the phone uses only one |
| | certificate to authenticate to |
| | CAPF even though a MIC and LSC |
| | can exist in the phone at the |
| | same time. If the primary |
| | certificate, which takes |
| | precedence, becomes compromised |
| | for any reason, or, if you want |
| | to authenticate via the other |
| | certificate, you must update the |
| | authentication mode. |
| | |
| | By Existing Certificate (Precedence to |
| | MIC): Installs, upgrades, |
| | deletes, or troubleshoots a |
| | locally significant certificate |
| | if a LSC or MIC exists in the |
| | phone. If a MIC exists in the |
| | phone, authentication occurs via |
| | the MIC, regardless whether a LSC |
| | exists in the phone. If a LSC |
| | exists in the phone, but a MIC |
| | does not exist, authentication |
| | occurs via the LSC. Before you |
| | choose this option, verify that a |
| | certificate exists in the phone. |
| | If you choose this option and no |
| | certificate exists in the phone, |
| | the operation fails. Note The |
| | CAPF settings that are configured |
| | in the Phone Security Profile |
| | window interact with the CAPF |
| | parameters that are configured in |
| | the Phone Configuration window. |
| | |
| | Default: By Null String |
+-----------------+----------------------------------------+
.. tabularcolumns:: |p{4cm}|p{11cm}|
+-----------------+----------------------------------------+
| Title | Description |
+=================+========================================+
| | If you chose the By |
| | Authentication String option in |
| | the Authentication Mode drop-down |
| | list box, this field applies. |
| | Manually enter a string or |
| | generate a string by clicking the |
| Authentication | Generate String button. Ensure |
| String | that the string contains 4 to 10 |
| | digits. To install, upgrade, |
| | delete, or troubleshoot a locally |
| | significant certificate, the |
| | phone user or administrator must |
| | enter the authentication string |
| | on the phone. |
+-----------------+----------------------------------------+
| | Enter the URL that the phone uses |
| | to validate requests that are |
| | made to the phone web server. If |
| | you do not provide an |
| | authentication URL, the advanced |
| | features on the Cisco Unified IP |
| Authentication | Phone that require authentication |
| Server | will not function. By default, |
| | this URL accesses a Cisco Unified |
| | Communications Self Care Portal |
| | window that was configured during |
| | installation. Leave this field |
| | blank to accept the default |
| | setting. |
+-----------------+----------------------------------------+
| | ``keyOrder`` can be updated only if |
| | ``certificateOperation`` field is |
| Key Order | Install/Upgrade,Delete or |
| | Troubleshoot. Default: RSA Only |
| | |
+-----------------+----------------------------------------+
| | For this setting that is used for |
| | CAPF, choose the key size for the |
| | certificate from the drop-down |
| | list box. The default setting |
| | equals 1024. Other options |
| | include 512 and 2048. If you |
| | choose a higher key size than the |
| | default setting, the phones take |
| | longer to generate the entropy |
| | that is required to generate the |
| | keys. Key generation, which is |
| Key Size (Bits) | set at low priority, allows the |
| | phone to function while the |
| | action occurs. Depending on the |
| | phone model, you may notice that |
| | key generation takes up to 30 or |
| | more minutes to complete. Note |
| | The CAPF settings that are |
| | configured in the Phone Security |
| | Profile window interact with the |
| | CAPF parameters that are |
| | configured in the Phone |
| | Configuration window. Default: |
| | 1024 |
+-----------------+----------------------------------------+
| | ``ecKeySize`` can be updated only if |
| EC Key Size | ``certificateOperation`` field is |
| (Bits) | Install/Upgrade,Delete or |
| | Troubleshoot. Default: 384 |
| | |
+-----------------+----------------------------------------+
| | |
| Operation | The completion deadline for the |
| Completes By | operation (CCYY:MM:DD:HH:MM) |
| | |
+-----------------+----------------------------------------+