Cisco Cisco TelePresence MCU 4510 Release Notes
Appendix: Mutual authentication connections and certificate identity requirements
Cisco TelePresence MCU 4.4(3.57) Maintenance Release Notes
Page 23 of 28
Appendix: Mutual authentication connections and certificate
identity requirements
identity requirements
Local certificate
The MCU can only have one local certificate. In all cases where the MCU needs to present a certificate to
another party, the MCU uses the certificate listed in the Local certificate section of the
another party, the MCU uses the certificate listed in the Local certificate section of the
Network
> SSL certificates
page. The MCU ships with a default certificate which you should replace if you want to
use the certificate for security purposes.
Your local certificate must be configured in such a way that it can be correctly identified by the remote party,
whether the remote party is an HTTPS client of the MCU, an HTTPS server to which the MCU connects, or a
SIP entity that either calls the MCU or is called by the MCU.
whether the remote party is an HTTPS client of the MCU, an HTTPS server to which the MCU connects, or a
SIP entity that either calls the MCU or is called by the MCU.
Connections that may involve certificate exchange
Connection type
Settings on
Network > SSL certificates
page
Incoming SIP call (to MCU)
Verification settings: Outgoing and incoming calls
Outgoing SIP call (from MCU)
Verification settings: Outgoing calls only or Outgoing and incoming calls
Web interface user (to MCU)
Client certificate security: Verify certificate, Certificate-based authentication
allowed, or Certificate-based authentication required.
allowed, or Certificate-based authentication required.
API user (to MCU)
Client certificate security: Verify certificate, Certificate-based authentication
allowed, or Certificate-based authentication required.
allowed, or Certificate-based authentication required.
OCSP server (from MCU)
Server certificate security: Verify certificate
Feedback receiver (from MCU)
Server certificate security: Verify certificate
SIP TLS connections and certificate identity requirements
For the following secure SIP connection types, you should ensure that the MCU's local certificate, and any
certificates presented to the MCU, can be identified and verified according to the following guidelines.
certificates presented to the MCU, can be identified and verified according to the following guidelines.
Outgoing SIP calls (MCU acting as a client)
The MCU performs a SIP TLS handshake with the called party, and the parties must be able to verify each
other's certificates.
other's certificates.
The MCU verifies that the received certificate is trusted by checking against its SIP trust store. The
certificate must be signed by an authority that is in the MCU's SIP trust store.
certificate must be signed by an authority that is in the MCU's SIP trust store.
The MCU identifies the owner of the certificate in the following way:
n
The MCU looks for either an IP address or a domain identifier for the remote party in the URI and DNS fields
of the certificate’s subject alternative name (subjectAltName) extension.
of the certificate’s subject alternative name (subjectAltName) extension.
n
If the subjectAltName is not present, the MCU looks for either an IP address or a domain identifier in the
certificate’s Common Name (CN) field.
certificate’s Common Name (CN) field.
Note: If you require TLS on non-proxied SIP calls from the MCU, the MCU's local certificate must identify
the MCU by its IP address. This requirement arises because the remote endpoint will be establishing
TLS connections directly to the MCU, which provides its IP address as its identity.
the MCU by its IP address. This requirement arises because the remote endpoint will be establishing
TLS connections directly to the MCU, which provides its IP address as its identity.