Cisco Cisco TelePresence MCU 4510 Release Notes
Appendix: Mutual authentication connections and certificate identity requirements
Cisco TelePresence MCU 4.4(3.57) Maintenance Release Notes
Page 24 of 28
Incoming SIP calls (MCU acting as a server)
The MCU performs a SIP TLS handshake with the calling party, and the parties must be able to verify each
other's certificates.
other's certificates.
The MCU verifies that the received certificate is trusted by checking against its SIP trust store. The
certificate must be signed by an authority that is in the MCU's SIP trust store.
certificate must be signed by an authority that is in the MCU's SIP trust store.
HTTPS connections and certificate identity requirements
For the following secure HTTP connection types, you should ensure that the MCU's local certificate, and any
certificates presented to the MCU, can be identified and verified according to the following guidelines.
certificates presented to the MCU, can be identified and verified according to the following guidelines.
Client connections (MCU acting as a server)
This applies when API users and web interface users connect to the MCU if those clients are required, by the
MCU's configuration, to present certificates.
MCU's configuration, to present certificates.
The MCU verifies that the received certificate is trusted by checking against its HTTPS trust store. The
certificate must be signed by an authority that is in the MCU's HTTPS trust store.
certificate must be signed by an authority that is in the MCU's HTTPS trust store.
If certificate-based login is allowed or required, the MCU also checks the received certificate's common
name. If it matches with a stored username, then the client logs in as that user.
name. If it matches with a stored username, then the client logs in as that user.
Server connections (MCU acting as a client)
This applies when the MCU connects to a feedback receiver or an OCSP server if those servers are required,
by the MCU's configuration, to present certificates.
by the MCU's configuration, to present certificates.
The MCU verifies that the received certificate is trusted by checking against its HTTPS trust store. The
certificate must be signed by an authority that is in the MCU's HTTPS trust store.
certificate must be signed by an authority that is in the MCU's HTTPS trust store.
The MCU identifies the owner of the certificate in the following way:
n
The MCU checks the DNS field of the certificate’s subject alternative name (subjectAltName) extension
for a domain identifier.
for a domain identifier.
n
If the DNS field is absent (or if the whole subjectAltName extension is absent), then the MCU will look at
the common name for a domain identifier (IP address is not allowed in common name).
the common name for a domain identifier (IP address is not allowed in common name).
n
The MCU also checks the IP address field of the certificate’s subject alternative name
(subjectAltName) extension, if present.
(subjectAltName) extension, if present.