Cisco Blogs

Cisco IP Phone Certificates and Secure Communications

September 13, 2012 - 3 Comments

Securing Cisco IP phone communications is important that helps organizations protect trade secrets and facilitate business and compliance requirements. Cisco IP phones support secure communication for both control and data channels. The security that is incorporated into Cisco IP phones includes the encryption and authentication of signaling communications between the Cisco IP phones and the Cisco Unified Communications Manager. Moreover, Cisco Unified Communications Manager supports encryption, authentication, and anti-replay protection of the voice packets that are exchanged between Cisco IP phones.

Voice is secured utilizing Secure Real-Time Transport Protocol (SRTP), which exchanges keying material through signaling sessions. Signaling is secured using TLS or VPNs. Given the various methodologies for securing voice communication, certificates can play an important role in the authentication of voice endpoints. Moreover, administrators should utilize Locally Significant Certificates (LSC) on Cisco IP phones whenever possible. USB security tokens, used for Certificate Trust List (CTL) installation on the Cisco Unified Communications Manager in secure mode, must also be securely stored. The key sizes and algorithms that are used in the above protocols also need to be of acceptable security for today’s technology.

For more information on how to secure Cisco IP Phone communications, refer to our Cisco IP Phone Certificates and Secure Communications whitepaper.

The whitepaper summarizes the basic security and encryption features that are supported by Cisco IP phones, Cisco Unified Communications Manager servers, and related Cisco voice products. Furthermore, it is intended to provide best practices for enabling securely-encrypted Unified Communications frameworks.

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. Interesting post Panos. how long is the life cycle to these certs and what would be the renewal process?

    • Thank you Rob.

      The MIC certs are installed on the phone itself and cannot be re-installed or changed. But as far as LSC’s are concerned, our recommendation is to use 2048-bit certs. These are considered secure for today and the years to come.

      Currently, we do not recommend to revoke these certs unless there is a compromise, a design change, a security concern, or the key-size is deemed “short” for state-of-the-art processing speeds. Even US NSA today suggests that 2048-bit RSA keys are considered secure for SECRET level data.

      More details about the certs themselves can be found in the whitepaper