.. _certificate-authority-functions-fields: Certificate Authority Functions Fields --------------------------------------- This table provides details on the available fields for Certificate Authority Functions when configuring phones - see :ref:`configure_phones`. .. tabularcolumns:: |p{4cm}|p{11cm}| +-----------------+----------------------------------------+ | Title | Description | +=================+========================================+ | | From the drop-down list box, | | | choose one of the following | | | options: | | | | | | No Pending Operation: Displays when no | | | certificate operation is | | | occurring (default setting). | | | | | | Install/Upgrade: Installs a new | | | or upgrades an existing locally | | | significant certificate in the phone. | | | | | | Delete: Deletes the | | | locally significant certificate | | | that exists in the phone. | | | | | | Troubleshoot: Retrieves the | | | locally significant certificate | | Certificate | (LSC) or the manufacture | | Operation * | installed certificate (MIC), so | | | you can view the certificate | | | credentials in the CAPF trace | | | file. If both certificate types | | | exist in the phone, Cisco Unified | | | CM creates two trace files, one | | | for each certificate type. By | | | choosing the Troubleshooting | | | option, you can verify that an | | | LSC or MIC exists in the phone. | | | For more information on CAPF | | | operations, see the Cisco Unified | | | Communications Manager Security | | | Guide. | | | | | | Default: No Pending | | | Operation | +-----------------+----------------------------------------+ | | This field allows you to choose | | | the authentication method that | | | the phone uses during the CAPF | | | certificate operation. From the | | | drop-down list box, choose one of | | | the following options: | | | | | | By Authentication | | | String: Installs/upgrades, | | | deletes, or troubleshoots a | | | locally significant certificate | | | only when the user enters the | | | CAPF authentication string on the | | | phone. | | | | | | By Null String: | | | Installs/upgrades, deletes, or | | | troubleshoots a locally | | | significant certificate without | | | user intervention. This option | | | provides no security; Cisco | | | strongly recommends that you | | | choose this option only for | | | closed, secure environments. | | | | | | By Existing Certificate (Precedence | | | to LSC): Installs/upgrades, | | | deletes, or troubleshoots a | | | locally significant certificate | | | if a manufacture-installed | | | certificate (MIC) or locally | | | significant certificate (LSC) | | | exists in the phone. If a LSC | | | exists in the phone, | | | authentication occurs via the | | | LSC, regardless whether a MIC | | | exists in the phone. If a MIC and | | | LSC exist in the phone, | | | authentication occurs via the | | | LSC. If a LSC does not exist in | | | the phone, but a MIC does exist, | | | authentication occurs via the | | Authentication | MIC. Before you choose this | | Mode | option, verify that a certificate | | | exists in the phone. If you | | | choose this option and no | | | certificate exists in the phone, | | | the operation fails. At any time, | | | the phone uses only one | | | certificate to authenticate to | | | CAPF even though a MIC and LSC | | | can exist in the phone at the | | | same time. If the primary | | | certificate, which takes | | | precedence, becomes compromised | | | for any reason, or, if you want | | | to authenticate via the other | | | certificate, you must update the | | | authentication mode. | | | | | | By Existing Certificate (Precedence to | | | MIC): Installs, upgrades, | | | deletes, or troubleshoots a | | | locally significant certificate | | | if a LSC or MIC exists in the | | | phone. If a MIC exists in the | | | phone, authentication occurs via | | | the MIC, regardless whether a LSC | | | exists in the phone. If a LSC | | | exists in the phone, but a MIC | | | does not exist, authentication | | | occurs via the LSC. Before you | | | choose this option, verify that a | | | certificate exists in the phone. | | | If you choose this option and no | | | certificate exists in the phone, | | | the operation fails. Note The | | | CAPF settings that are configured | | | in the Phone Security Profile | | | window interact with the CAPF | | | parameters that are configured in | | | the Phone Configuration window. | | | | | | Default: By Null String | +-----------------+----------------------------------------+ .. tabularcolumns:: |p{4cm}|p{11cm}| +-----------------+----------------------------------------+ | Title | Description | +=================+========================================+ | | If you chose the By | | | Authentication String option in | | | the Authentication Mode drop-down | | | list box, this field applies. | | | Manually enter a string or | | | generate a string by clicking the | | Authentication | Generate String button. Ensure | | String | that the string contains 4 to 10 | | | digits. To install, upgrade, | | | delete, or troubleshoot a locally | | | significant certificate, the | | | phone user or administrator must | | | enter the authentication string | | | on the phone. | +-----------------+----------------------------------------+ | | Enter the URL that the phone uses | | | to validate requests that are | | | made to the phone web server. If | | | you do not provide an | | | authentication URL, the advanced | | | features on the Cisco Unified IP | | Authentication | Phone that require authentication | | Server | will not function. By default, | | | this URL accesses a Cisco Unified | | | Communications Self Care Portal | | | window that was configured during | | | installation. Leave this field | | | blank to accept the default | | | setting. | +-----------------+----------------------------------------+ | | ``keyOrder`` can be updated only if | | | ``certificateOperation`` field is | | Key Order | Install/Upgrade,Delete or | | | Troubleshoot. Default: RSA Only | | | | +-----------------+----------------------------------------+ | | For this setting that is used for | | | CAPF, choose the key size for the | | | certificate from the drop-down | | | list box. The default setting | | | equals 1024. Other options | | | include 512 and 2048. If you | | | choose a higher key size than the | | | default setting, the phones take | | | longer to generate the entropy | | | that is required to generate the | | | keys. Key generation, which is | | Key Size (Bits) | set at low priority, allows the | | | phone to function while the | | | action occurs. Depending on the | | | phone model, you may notice that | | | key generation takes up to 30 or | | | more minutes to complete. Note | | | The CAPF settings that are | | | configured in the Phone Security | | | Profile window interact with the | | | CAPF parameters that are | | | configured in the Phone | | | Configuration window. Default: | | | 1024 | +-----------------+----------------------------------------+ | | ``ecKeySize`` can be updated only if | | EC Key Size | ``certificateOperation`` field is | | (Bits) | Install/Upgrade,Delete or | | | Troubleshoot. Default: 384 | | | | +-----------------+----------------------------------------+ | | | | Operation | The completion deadline for the | | Completes By | operation (CCYY:MM:DD:HH:MM) | | | | +-----------------+----------------------------------------+