Home » Cisco, Security, Technology

Certificate Trust List

Author: Guest Authors 7 October 2009 3,241 views No Comments
Tags: ,

Excerpted from the “VoIP Phone Hardening – Part 2” white paper. Download the complete paper from our Knowledge Center.

Within Cisco implementation of Public Key Infrastructure (PKI) there are multiple PKI roots that each phone must trust. The phone keeps a list of all of the PKI roots that should be trusted called the Cisco Certificate Trust List (CTL).

The CTL is created by a CTL client that is obtained as a plug-in on the CUCM server. The CTL application has a list of trusted devices, which is the data in this case. The data is passed off to the security token. The security token is a USB device that is a mini computer that acts like a CA. It has a private and a public key and a certificate, and is capable of signing data. The data is passed from the CTL client to the security token where it is signed, and the data is passed back to the CTL client. The private key never leaves the security token. This process requires two security keys as one is used for backup in the event something happens to the first one.

After the CTL list is created by the CTL client, the phones will obtain this CTL during their next reboot. The first download of the CTL is not secure and must be done on a trusted network to insure the CTL list has not been falsified by an attacker. The problem only exists during the first download of a CTL list because an IP phone will accept any CTL list. However, any updated list will have to be verified by using the correct key pairs.

The phone uses the CTL list for the following situations.

  • Encrypted Signaling – The IP phone verifies the certificate received by the CUCM using the CTL list to authenticate the CUCM.
  • LSC Enrollment – The IP Phone will request to be enrolled with the CAPF and receive a certificate from the CAPF service. This certificate is verified against the CTL to authenticate the CAPF service.
  • Signed IP Phone Configuration Files – The TFTP server will sign the configuration files with its private key. The phone will need to look in the CTL for the public key to decrypt the configuration file.
  • Signed CTL Files – The CTL is signed by the CTL client, and the phone must verify the new CTL certificate with the previous CTL to authenticate the updated CTL. If the phone does not have a CTL, it will accept any CTL the first time. Therefore, a trusted network must be used for first-time

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Leave your response!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.

Be nice. Keep it clean. Stay on topic. No spam.

You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This is a Gravatar-enabled weblog. To get your own globally-recognized-avatar, please register at Gravatar.