/
Addressing Cisco Field Notice FN74094 - Ending Support for CSR Signing on Cisco CDA

Addressing Cisco Field Notice FN74094 - Ending Support for CSR Signing on Cisco CDA

 

Field Notice Summary

Cisco is ending support for Certificate Signing Requests (CSRs) from several root certificates, with different end dates:

This affects various Cisco VoIP devices, including IP phones and Analog Telephone Adapters (ATAs). Previously, service providers could create a CSR, upload it to the Cisco CDA portal, and get a signed certificate for their provisioning server, which phones could validate.

Certificates issued through this portal will expire on May 31, 2025.

Affected CNAMES

  • Phonism utilized signed certificates from the Cisco CDA portal to enable secure provisioning if supported devices against the following CNAMES:

    • c.phonism.com

    • mtls.c.phonism.com

    • c.euw1.phonism.com

    • mtls.c.euw1.phonism.com

  • Customers whom whitelabeled Phonism with a custom CNAME for either c. or mtls.c. were required to generate and submit SSL certificates from the Cisco CDA portal and submit them to Phonism for installation on Phonism provisioning servers.

What does this mean for my Cisco devices?

  • On May 31, 2025, Cisco devices securely provisioning against any of the CNAMES listed above will be unable to provision from Phonism.

How is Phonism adapting to these changes

Beginning on 2025-05-08, the following changes will take affect:

  • The c. and mtls.c. endpoints will be considered legacy endpoints.

    • They will continue to be functional for https provisioning until May 31, 2025 when the Cisco-issued certificates expire.

    • Devices provisioning against c. using http will continue to work indefinitely.

  • On next provision, Cisco devices will be migrated to utilize p. and mtls.p. CNAMES, consolidating the provisioning of all devices under a single CNAME.

  • Cisco devices will have the appropriate Custom_CA_Rule installed on their devices by Phonism.

    • Through this parameter, we will be installing the Root Certificate Authority certificates on Cisco devices so that they can securely provision from Phonism.

  • The changes above apply to Whitelabel CNAMES as well.

Who is affected?

  • All customers with Cisco devices provisioning from Phonism using https.

  • Phonism has performed an audit of Cisco devices across our deployments and we will be reaching out directly to affected customers.

Who is NOT affected?

  • Customers whom use http (not https) to provision their Cisco devices are unaffected.

What actions are needed to avoid an interruption in service?

  • Devices provisioning against c. using http do not have any required action.

  • Customers using https against c. or mtls.c. must have their devices reprovision from Phonism before May 31st, 2025 to receive the latest configuration that will ensure secure provisioning going forward.

    • The updated configuration will redirect their provisioning to p. and mtls.p. CNAMES respectively and configure the device to install the corresponding Root CA Certificates required to validate the SSL Certificates presented by our servers.

What can I do if I miss the May 31st deadline

  • If the deadline is missed, Cisco devices must be directed to provision from <http://boot.phonism.com> by any convenient means available to you.

    • Provisioning from boot. will install the First-Boot configuration, which is minimal configuration that configure the device to securely provision from Phonism by setting the correct provisioning urls and installing SSL certificates.

References